Table of Contents
High Completeness Audit Log Searches Improves Search-UnifiedAuditLog Results
Message Center notification MC736435 (published 13 March 2024, Microsoft 365 roadmap item 383741) describes the new HighCompleteness switch for the Search-UnifiedAuditLog cmdlet. The preview for the new switch is rolling out with a goal to making it generally available in mid-April 2024.
Despite an unwillingness to confirm that they had made changes to how the Search-UnifiedAuditLog cmdlet works, there’s no doubt that Microsoft has been active in this space. I suspect that the increasing number of Microsoft 365 workloads that generate audit events made the unified audit log infrastructure creak a little. Forcing administrators to include the SessionCommand ReturnLargeSet parameter in search commands might have been an attempt to ease pressure by outputting unsorted search results.
Making Sure Audit Log Searches are Complete
The announcement for the new high completeness feature contains the interesting statement that “Very large queries aimed at retrieving a large number of audit records are susceptible to timeouts and may miss some results.”
To overcome the problem, the HighCompleteness parameter instructs audit log searches to prioritize completeness over speed by performing a more exhaustive and comprehensive search of the audit log. Because the search is more exact, the performance of high completeness searches is slower than “normal” searches. However, given the focus on “very large queries,” the difference between normal and high completeness searches is acceptable if you’re sure that all matching audit records are found.
High Completeness Audit Log Searches Can Retrieve Lots of Data
Until now, the Search-UnifiedAuditLog cmdlet has been limited to returning a maximum of 50,000 records. This sounds a lot, but it’s not for large tenants where tens of thousands of users take actions that result in audit records. To fetch 50,000 records, the cmdlet must include SessionCommand ReturnLargeSet in its parameters.
To test what a high completeness audit log search can do, I ran this command:
[array]$Data = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-100) -EndDate (Get-Date).AddDays(1) -HighCompleteness -formatted -verbose
You don’t need to pass the SessionCommand parameter for high completeness audit log searches. The ResultSize parameter is supported to limit the number of audit records returned by a search. Figure 1 shows that the search returned 119,507 records in just under 17 minutes.
The results are unsorted, so to sort the records into date order, I ran:
$Data = $Data | Sort {$_.CreationDate -as [datetime]}
It seems like Microsoft limits the number of high completeness searches that an administrator can run. After running five over 20 minutes or so, my next attempt resulted in:
WARNING: Failed to process request via HighCompleteness flag, returning HttpRequestException. Exception: TooManyRequests , Reason: Too many requests. Please try after some time..
Waiting ten minutes to resubmit the search resolved the issue. During my tests, I also experienced a few 500 ‘internal server errors’ when running high completeness searches. Occasionally, a search failed with an error like:
WARNING: Failed to process request via HighCompleteness flag, returning HttpRequestException. Exception: Status: OK , Reason: The search request did not finish in time via HighCompleteness flag, returning. Execution time(seconds) :782.
These are examples of errors that are expected during previews of new functionality and I’m sure that Microsoft will resolve the underlying problems (and make the error messages more meaningful) before general availability.
Comparing Normal and High Completeness Audit Log Searches
To compare the time required to run normal and high completeness searches, I ran a test to retrieve all audit records for a user. The normal search took 11.5 seconds:
[array]$Data3 = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-180) -EndDate (Get-Date).AddDays(1) -formatted -UserIds Sean.Landy@office365itpros.com -ResultSize 5000 -SessionCommand ReturnLargeSet
The high completeness search took 4 minutes 22 seconds:
[array]$Data2 = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-180) -EndDate (Get-Date).AddDays(1) -HighCompleteness -formatted -UserIds Sean.Landy@office365itpros.com
The normal search returned 950 records; the high completeness search returned 704. After sorting both sets by the creation date, the two sets had the same first and last record in the set. It seems that the difference is accounted for by duplicate records included in the “normal” set.
For instance, a MailItemsAccessed event appeared three times in the “normal” set. To check the theory, I created an array and used a ForEach-Object loop to populate properties in the array from the audit records, including the Id property in the AuditData multi-value property. I then sorted the array to find unique values of Id and ended up with 704 records, the same as returned by the high completeness search. Here’s the code I used:
$OutputReport = [System.Collections.Generic.List[Object]]::new()
ForEach ($Rec in $Data3) {
$AuditData = $Rec.AuditData | ConvertFrom-JSON
$ReportLine = [PSCustomObject][Ordered]@{
UserPrincipalName = $Rec.UserIds
Timestamp = $Rec.CreationDate
Operation = $Rec.Operations
Id = $AuditData.Id
}
$OutputReport.Add($ReportLine)
}
$OutputReport.count
950
$O = $OutputReport | Sort-Object Id -Unique
$O.count
704
A New Way to Run Large Audit Log Searches
Administrators run audit log searches to extract information about many different types of activity. When they do, administrators expect Purview to respond with accurate and complete results. It seems that this hasn’t been the case in the past and that the likelihood of missing records grows as the number of audit records found by a query increases. That’s not good and I was surprised to find so many duplicates.
Based on what I see so far, high completeness searches do a good job of finding large quantities of audit records reasonably quickly. Being sure that 120,000 records are accurate and represent the total available set is a different matter. Checking the data fetched by more precise queries indicate that high completeness searches generate accurate results. This preview feature is worth investigating.
Stay updated with developments across the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. We do the research to make sure that our readers understand the technology.