How can I filter for a specific IP address through the Microsoft Entra Audit logs?
I tried following two PowerShell commands:
Get-MgAuditLogDirectoryAudit -All -Property * -Filter "initiatedBy/user/ipAddress eq '$IpAddress'"
Get-MgBetaAuditLogDirectoryAudit -All -Property * -Filter "initiatedBy/user/ipAddress eq '$IpAddress'"
Following filter query works:
Get-MgAuditLogDirectoryAudit -All -Property * -Filter "initiatedBy/user/userPrincipalName eq '$UPN'"
My solution:
[Array]$Records = Get-MgBetaAuditLogDirectoryAudit -All
$Records | Where-Object {$_.InitiatedBy.User.IPAddress -eq "$IpAddress"}
Why not using the logs you already paid for?
Who wants to invest extra money for LogAnalytics, Splunk, etc. can do this. ;-)