@@ -15,7 +15,7 @@ function Start-AuditLogOrchestrator {
1515 $TenantList = Get-Tenants - IncludeErrors
1616 # Round time down to nearest minute
1717 $Now = Get-Date
18- $StartTime = ($Now.AddSeconds (- $Now.Seconds )).Addh( -30 )
18+ $StartTime = ($Now.AddSeconds (- $Now.Seconds )).AddHours( -1 )
1919 $EndTime = $Now.AddSeconds (- $Now.Seconds )
2020
2121 if (($AuditLogSearches | Measure-Object ).Count -eq 0 ) {
@@ -41,11 +41,51 @@ function Start-AuditLogOrchestrator {
4141 $ServiceFilters = $Configuration | Select-Object - Property type | Sort-Object - Property type - Unique | ForEach-Object { $_.type.split (' .' 1 ] }
4242 try {
4343 $LogSearch = @ {
44- StartTime = $StartTime
45- EndTime = $EndTime
46- ServiceFilters = $ServiceFilters
47- TenantFilter = $Tenant.defaultDomainName
48- ProcessLogs = $true
44+ StartTime = $StartTime
45+ EndTime = $EndTime
46+ ServiceFilters = $ServiceFilters
47+ TenantFilter = $Tenant.defaultDomainName
48+ ProcessLogs = $true
49+ RecordTypeFilters = @ (
50+ ' exchangeAdmin' , ' azureActiveDirectory' , ' azureActiveDirectoryAccountLogon' , ' dataCenterSecurityCmdlet' ,
51+ ' complianceDLPSharePoint' , ' complianceDLPExchange' , ' azureActiveDirectoryStsLogon' , ' skypeForBusinessPSTNUsage' ,
52+ ' skypeForBusinessUsersBlocked' , ' securityComplianceCenterEOPCmdlet' , ' microsoftFlow' , ' aeD' , ' microsoftStream' ,
53+ ' threatFinder' , ' project' , ' dataGovernance' , ' securityComplianceAlerts' , ' threatIntelligenceUrl' ,
54+ ' securityComplianceInsights' , ' mipLabel' , ' workplaceAnalytics' , ' powerAppsApp' , ' powerAppsPlan' ,
55+ ' threatIntelligenceAtpContent' , ' labelContentExplorer' , ' hygieneEvent' ,
56+ ' dataInsightsRestApiAudit' , ' informationBarrierPolicyApplication' , ' microsoftTeamsAdmin' , ' hrSignal' ,
57+ ' informationWorkerProtection' , ' campaign' , ' dlpEndpoint' , ' airInvestigation' , ' quarantine' , ' microsoftForms' ,
58+ ' applicationAudit' , ' complianceSupervisionExchange' , ' customerKeyServiceEncryption' , ' officeNative' ,
59+ ' mipAutoLabelSharePointItem' , ' mipAutoLabelSharePointPolicyLocation' , ' secureScore' ,
60+ ' mipAutoLabelExchangeItem' , ' cortanaBriefing' , ' search' , ' wdatpAlerts' , ' powerPlatformAdminDlp' ,
61+ ' powerPlatformAdminEnvironment' , ' mdatpAudit' , ' sensitivityLabelPolicyMatch' , ' sensitivityLabelAction' ,
62+ ' sensitivityLabeledFileAction' , ' attackSim' , ' airManualInvestigation' , ' securityComplianceRBAC' , ' userTraining' ,
63+ ' airAdminActionInvestigation' , ' mstic' , ' physicalBadgingSignal' , ' aipDiscover' , ' aipSensitivityLabelAction' ,
64+ ' aipProtectionAction' , ' aipFileDeleted' , ' aipHeartBeat' , ' mcasAlerts' , ' onPremisesFileShareScannerDlp' ,
65+ ' onPremisesSharePointScannerDlp' , ' exchangeSearch' , ' privacyDataMinimization' , ' labelAnalyticsAggregate' ,
66+ ' myAnalyticsSettings' , ' securityComplianceUserChange' , ' complianceDLPExchangeClassification' ,
67+ ' complianceDLPEndpoint' , ' mipExactDataMatch' , ' msdeResponseActions' , ' msdeGeneralSettings' , ' msdeIndicatorsSettings' ,
68+ ' ms365DCustomDetection' , ' msdeRolesSettings' , ' mapgAlerts' , ' mapgPolicy' , ' mapgRemediation' ,
69+ ' privacyRemediationAction' , ' privacyDigestEmail' , ' mipAutoLabelSimulationProgress' , ' mipAutoLabelSimulationCompletion' ,
70+ ' mipAutoLabelProgressFeedback' , ' dlpSensitiveInformationType' , ' mipAutoLabelSimulationStatistics' ,
71+ ' largeContentMetadata' , ' microsoft365Group' , ' cdpMlInferencingResult' , ' filteringMailMetadata' ,
72+ ' cdpClassificationMailItem' , ' cdpClassificationDocument' , ' officeScriptsRunAction' , ' filteringPostMailDeliveryAction' ,
73+ ' cdpUnifiedFeedback' , ' tenantAllowBlockList' , ' consumptionResource' , ' healthcareSignal' , ' dlpImportResult' ,
74+ ' cdpCompliancePolicyExecution' , ' multiStageDisposition' , ' privacyDataMatch' , ' filteringDocMetadata' ,
75+ ' filteringEmailFeatures' , ' powerBIDlp' , ' filteringUrlInfo' , ' filteringAttachmentInfo' , ' coreReportingSettings' ,
76+ ' complianceConnector' , ' powerPlatformLockboxResourceAccessRequest' , ' powerPlatformLockboxResourceCommand' ,
77+ ' cdpPredictiveCodingLabel' , ' cdpCompliancePolicyUserFeedback' , ' webpageActivityEndpoint' , ' omePortal' ,
78+ ' cmImprovementActionChange' , ' filteringUrlClick' , ' mipLabelAnalyticsAuditRecord' , ' filteringEntityEvent' ,
79+ ' filteringRuleHits' , ' filteringMailSubmission' , ' labelExplorer' , ' microsoftManagedServicePlatform' ,
80+ ' powerPlatformServiceActivity' , ' scorePlatformGenericAuditRecord' , ' filteringTimeTravelDocMetadata' , ' alert' ,
81+ ' alertStatus' , ' alertIncident' , ' incidentStatus' , ' case' , ' caseInvestigation' , ' recordsManagement' ,
82+ ' privacyRemediation' , ' dataShareOperation' , ' cdpDlpSensitive' , ' ehrConnector' , ' filteringMailGradingResult' ,
83+ ' microsoftTodoAudit' , ' timeTravelFilteringDocMetadata' , ' microsoftDefenderForIdentityAudit' ,
84+ ' supervisoryReviewDayXInsight' , ' defenderExpertsforXDRAdmin' , ' cdpEdgeBlockedMessage' , ' hostedRpa' ,
85+ ' cdpContentExplorerAggregateRecord' , ' cdpHygieneAttachmentInfo' , ' cdpHygieneSummary' , ' cdpPostMailDeliveryAction' ,
86+ ' cdpEmailFeatures' , ' cdpHygieneUrlInfo' , ' cdpUrlClick' , ' cdpPackageManagerHygieneEvent' , ' filteringDocScan' ,
87+ ' timeTravelFilteringDocScan' , ' mapgOnboard'
88+ )
4989 }
5090 $NewSearch = New-CippAuditLogSearch @LogSearch
5191 Write-Information " Created audit log search $ ( $Tenant.defaultDomainName ) - $ ( $NewSearch.displayName ) "
0 commit comments