8000 Bug: Search-UnifiedAuditLog unable to gather more than 50,000 items · Issue #289 · T0pCyber/hawk · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Bug: Search-UnifiedAuditLog unable to gather more than 50,000 items #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
waybaker opened this issue May 30, 2025 · 3 comments
Open

Bug: Search-UnifiedAuditLog unable to gather more than 50,000 items #289

waybaker opened this issue May 30, 2025 · 3 comments
Assignees
@T0pCyber
Labels
status/backlog In backlog / validated type/bug Non-urgent code defect

Comments

@waybaker
Copy link
waybaker commented May 30, 2025
edited
Loading

What happened?

Once the scan hits 50,000 items, it is unable to proceed any further and just loops with the same message:

[2025-05-29 21:14:42Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:15:24Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:16:07Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:16:47Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:17:28Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:18:08Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:18:49Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:51Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:53Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:54Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:56Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:57Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:59Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:00Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:02Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:03Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:05Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:07Z] - [INFO] - Retrieved:50000 Total: 83348

I left this to run overnight, and it never completed. It is still showing the same thing.

Steps to Reproduce

Command used: Start-HawkUserInvestigation -UserPrincipalName user@domain.com -StartDate '04/01/2025' -EndDate '05/29/2025' -FilePath 'c:\subfolder' -SkipUpdate

Hawk Version

Latest - Installed 5/29/2025 (4.0)

Technical Analysis

No response

Implementation Plan

No response

Acceptance Criteria

No response
@waybaker waybaker added type/bug Non-urgent code defect status/backlog In backlog / validated labels May 30, 2025
@nextechinc
Copy link

I'm having the same trouble. Doesn't seem to matter what date range I use (down to a single day), the UAL total is always the same and always well over 50,000.

@T0pCyber T0pCyber self-assigned this Jun 11, 2025
@T0pCyber
Copy link
Owner

Can you provide a screenshot of the log? What subfunction is the Tenant Investigation hanging up on? Sorry this is happening, we may have missed some tenant size constraints and need to update accordingly.

@nextechinc
Copy link

This was with command: Start-HawkUserInvestigation -UserPrincipalName user@domain.com -DaysToLookBack 5 -FilePath .\

The screenshots are a little incongruent because I'd terminate the command shortly after seeing the Total over 50000, on subsequent attempts.

Image

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@T0pCyber T0pCyber

Labels
status/backlog In backlog / validated type/bug Non-urgent code defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nextechinc @T0pCyber @waybaker
0