Bug: Search-UnifiedAuditLog unable to gather more than 50,000 items

[waybaker]

What happened?

Once the scan hits 50,000 items, it is unable to proceed any further and just loops with the same message:

[2025-05-29 21:14:42Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:15:24Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:16:07Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:16:47Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:17:28Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:18:08Z] - [INFO] - Retrieved:45605 Total: 83348
[2025-05-29 21:18:49Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:51Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:53Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:54Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:56Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:57Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:18:59Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:00Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:02Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:03Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:05Z] - [INFO] - Retrieved:50000 Total: 83348
[2025-05-29 21:19:07Z] - [INFO] - Retrieved:50000 Total: 83348

I left this to run overnight, and it never completed. It is still showing the same thing.

Steps to Reproduce

Command used: Start-HawkUserInvestigation -UserPrincipalName user@domain.com -StartDate '04/01/2025' -EndDate '05/29/2025' -FilePath 'c:\subfolder' -SkipUpdate

Hawk Version

Latest - Installed 5/29/2025 (4.0)

Technical Analysis

No response

Implementation Plan

No response

Acceptance Criteria

No response

[nextechinc]

I'm having the same trouble. Doesn't seem to matter what date range I use (down to a single day), the UAL total is always the same and always well over 50,000.

[T0pCyber]

Can you provide a screenshot of the log? What subfunction is the Tenant Investigation hanging up on? Sorry this is happening, we may have missed some tenant size constraints and need to update accordingly.

[nextechinc]

This was with command: Start-HawkUserInvestigation -UserPrincipalName user@domain.com -DaysToLookBack 5 -FilePath .\

The screenshots are a little incongruent because I'd terminate the command shortly after seeing the Total over 50000, on subsequent attempts.

[waybaker]

Any update to this?