Get-MgBetaSecurityAuditLogQueryRecord - Status: 500 (InternalServerError)

[JoeyInvictus]

Describe the bug

I am trying to retrieve the Unified Audit Logs through an application with the required Graph API scopes. I can initiate the scan, check the status of the scan, and begin downloading the results. However, after approximately 20,000 entries, it starts to throw errors for some reason.

I get the following error message:

Get-MgBetaSecurityAuditLogQueryRecord : Internal server error
Status: 500 (InternalServerError)
ErrorCode:
Date: 2024-08-26T14:13:01
Headers:
Transfer-Encoding             : chunked
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : d6ea52b3-c627-402b-aca0-885440b5fa3c
client-request-id             : 7d864a09-fd52-4d51-872d-a034810f3ed9
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"003","RoleInstance":"AM1PEPF0003BA6B"}}
Cache-Control                 : no-cache
Date                          : Mon, 26 Aug 2024 14:13:00 GMT
At line:1 char:1
+ Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId 704fea76-7a13- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ AuditLogQuery...ndProperty =  }:<>f__AnonymousType36`9) [Get-MgBetaSecur...ueryRecord_List], Exception
    + FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List

I get this by running the code below:

$customObjects = @()
Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId {REJECTED} -All |
        ForEach-Object {	            
            $customObjects += $customObject
        } 

 $customObjects | ConvertTo-Json -Depth 100 | Out-File -Append "UnifiedAuditLog.json"

After it errors, I have exactly 21,000 results.

In addition, I tried using the Invoke-MgGraphRequest cmdlet, but it results in the same behavior.

$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"
        
        Do {
            $response = Invoke-MgGraphRequest -Method Get -Uri $apiUrl -ContentType 'application/json'
            if ($response.value) {
                $filePath = Join-Path -Path $OutputDir -ChildPath $outputFilePath
                $response.value | ConvertTo-Json -Depth 100 | Out-File -FilePath $filePath -Append
                
            }
            $apiUrl = $response.'@odata.nextLink'
        } While ($apiUrl)

Expected behavior

All entries found in the Unified Audit Log during the scan should be downloadable via Get-MgBetaSecurityAuditLogQueryRecord.

How to reproduce

1. Start a new scan via New-MgBetaSecurityAuditLogQuery
2. Download the results via Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $scanId

Make sure to have more then 21k results in the search.

SDK Version

2.11.1

Latest version known to work for scenario above?

2.11.1

Known Workarounds

No response

Debug output

Click to expand log

```

</details>


### Configuration

_No response_

### Other information

_No response_

[timayabi2020]

@JoeyInvictus thank you for logging this issue. After confirming with another tool, this seems like a service issue. Please Kindly raise an issue here https://developer.microsoft.com/en-us/graph/support so that the API owner can respond to it.

[JoeyInvictus]

Hi, still waiting for a response from Microsoft on my ticket...

[timayabi2020]

Closing this issue since its service related and not particularly an SDK issue. The issue cuts across all SDKs and other tools like GE.