search

microsoftgraph / msgraph-sdk-powershell

Powershell SDK for Microsoft Graph
https://www.powershellgallery.com/packages/Microsoft.Graph
Other
691 stars 165 forks source link

Get-MgBetaSecurityAuditLogQueryRecord - Status: 500 (InternalServerError) #2927

Closed JoeyInvictus closed 3 weeks ago

JoeyInvictus commented 1 month ago

Describe the bug

I am trying to retrieve the Unified Audit Logs through an application with the required Graph API scopes. I can initiate the scan, check the status of the scan, and begin downloading the results. However, after approximately 20,000 entries, it starts to throw errors for some reason.

I get the following error message:

Get-MgBetaSecurityAuditLogQueryRecord : Internal server error
Status: 500 (InternalServerError)
ErrorCode:
Date: 2024-08-26T14:13:01
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : d6ea52b3-c627-402b-aca0-885440b5fa3c
client-request-id             : 7d864a09-fd52-4d51-872d-a034810f3ed9
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0003BA6B"}}
Cache-Control                 : no-cache
Date                          : Mon, 26 Aug 2024 14:13:00 GMT
At line:1 char:1
+ Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId 704fea76-7a13- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ AuditLogQuery...ndProperty =  }:<>f__AnonymousType36`9) [Get-MgBetaSecur...ueryRecord_List], Exception
    + FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List

I get this by running the code below:

$customObjects = @()
Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId {REJECTED} -All |
        ForEach-Object {                
            $customObjects += $customObject
        } 

 $customObjects | ConvertTo-Json -Depth 100 | Out-File -Append "UnifiedAuditLog.json"

After it errors, I have exactly 21,000 results. image

In addition, I tried using the Invoke-MgGraphRequest cmdlet, but it results in the same behavior.

$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"

        Do {
            $response = Invoke-MgGraphRequest -Method Get -Uri $apiUrl -ContentType 'application/json'
            if ($response.value) {
                $filePath = Join-Path -Path $OutputDir -ChildPath $outputFilePath
                $response.value | ConvertTo-Json -Depth 100 | Out-File -FilePath $filePath -Append

            }
            $apiUrl = $response.'@odata.nextLink'
        } While ($apiUrl)

Expected behavior

All entries found in the Unified Audit Log during the scan should be downloadable via Get-MgBetaSecurityAuditLogQueryRecord.

How to reproduce

  1. Start a new scan via New-MgBetaSecurityAuditLogQuery
  2. Download the results via Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $scanId

Make sure to have more then 21k results in the search.

SDK Version

2.11.1

Latest version known to work for scenario above?

2.11.1

Known Workarounds

No response

Debug output

Click to expand log ``` ```

Configuration

No response

Other information

No response

timayabi2020 commented 1 month ago

@JoeyInvictus thank you for logging this issue. After confirming with another tool, this seems like a service issue. Please Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it. image

JoeyInvictus commented 4 weeks ago

Hi, still waiting for a response from Microsoft on my ticket...

timayabi2020 commented 3 weeks ago

Closing this issue since its service related and not particularly an SDK issue. The issue cuts across all SDKs and other tools like GE.