How to list Exchange audit content between datest using Office 365 Management API?

CybP 21 Reputation points
2021-09-09T10:46:40.76+00:00

Hi,

I try to list Exchange audit content between datest using Office 365 Management API.
I prepare request like this

/api/v1.0/{tenat}/activity/feed/subscriptions/content?contentType=Audit.Exchange&PublisherIdentifier={tenat}&startTime=2021-09-09T10:31:58&endTime=2021-09-09T10:32:58

But every time I get the same list of contents with contentCreated< than startTime.
If no any events I get the same list of contents, but if I have an amount of exchange events, returned content list is changed but contentCreated < that startTime.

From my point of view I should get content only with contentCreated >= than startTime or nothing.

Why I getting the content with contentCreated less that startTime?

Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
544 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Barrett 21 Reputation points Microsoft Employee
    2021-09-21T13:43:46.367+00:00

    You can't use the Office 365 Management API to search for audit data. You can only use the management API to collect your audit logs. You would then search those logs offline (e.g. you could import the logs into an SIEM and search in that).

    Docs are here: https://video2.skills-academy.com/en-us/office/office-365-management-api/office-365-management-apis-overview

    To clarify, the start and end time refer to the times that the audit events were made available to the management API. They are not the times of the events.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.