unified audit log cmdlet topics complete

Author: markjjo

exchange/exchange-ps/exchange/policy-and-compliance-audit/Get-UnifiedAuditLogRetentionPolicy.md

@@ -15,7 +15,7 @@ monikerRange: "o365scc-ps"
 ## SYNOPSIS
 This cmdlet is available only in Office 365 Security & Compliance Center PowerShell. For more information, see [Office 365 Security & Compliance Center PowerShell](https://docs.microsoft.com/powershell/exchange/office-365-scc/office-365-scc-powershell).
 
-Use the Get-UnifiedAuditLogRetentionPolicy cmdlet to 
+Use the Get-UnifiedAuditLogRetentionPolicy cmdlet to view the properties of the audit log retention policies in your organization. Audit log retention policies are used to specify a retention duration for audit logs for that are generated by admin and user activity. An audit log retention policy can specify the retention duration based on the type of audited activities, the Office 365 service that activities are performed in, or the users who performed the activities. For more information, see [Manage audit log retention policies](https://docs.microsoft.com/microsoft-365/compliance/audit-log-retention-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://docs.microsoft.com/powershell/exchange/exchange-server/exchange-cmdlet-syntax).
 
@@ -37,15 +37,23 @@ You need to be assigned permissions in the Office 365 Security & Compliance Cent
 
 ### Example 1
 ```powershell
-{{ Add example code here }}
+Get-UnifiedAuditLogRetentionPolicy | Sort-Object -Property Priority -Descending | FL Priority,Name,Description,RecordTypes,Operations,UserIds,RetentionDuration
 ```
 
-{{ Add example description here }}
+This example lists the configurable properties for all audit log retention policies in your organization. The command also lists the policies in order of highest to lowest priority.
+
+### Example 2
+```powershell
+Get-UnifiedAuditLogRetentionPolicy -RecordType ExchangeItem | FL Name,Description,RecordTypes,Operations,UserIds,RetentionDuration,Priority
+```
+
+This example lists the configurable properties for all audit log retention policies that apply to audit records the record type of ExchangeItem.
+
 
 ## PARAMETERS
 
 ### -Operation
-The Operations parameter filters the policy results by the operations that are specified in the policy. The available values for this parameter depend on the RecordType value. For a list of the available values for this parameter, see [Audited activities](https://go.microsoft.com/fwlink/p/?LinkId=708432).
+The Operations parameter filters the results by the operations that are specified in the policy. For a list of the available values for this parameter, see [Audited activities](https://go.microsoft.com/fwlink/p/?LinkId=708432).
 
 To enter multiple values, use the following syntax: \<value1\>,\<value2\>,...\<valueX\>. If the values contain spaces or otherwise require quotation marks, use the following syntax: "\<value1\>","\<value2\>",..."\<valueX\>".
 
@@ -63,7 +71,7 @@ Accept wildcard characters: False
 ```
 
 ### -RecordType
-The RecordType parameter filters the policy results by the record types that are defined in the policy. Valid values are:
+The RecordType parameter filters the results by the record types that are defined in the policy. Valid values are:
 
 - AeD
 
@@ -213,8 +221,6 @@ The RecordType parameter filters the policy results by the record types that are
 Type: AuditRecordType
 Parameter Sets: (All)
 Aliases:
-Accepted values: ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation, OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet, ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation, AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked, SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer, SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow, AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project, SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp, PowerAppsPlan, ThreatIntelligenceAtpContent, LabelExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection, Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit, ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, MipAutoLabelExchangeItem
-Applicable: Office 365 Security & Compliance Center
 
 Required: False
 Position: Named

exchange/exchange-ps/exchange/policy-and-compliance-audit/New-UnifiedAuditLogRetentionPolicy.md

@@ -15,7 +15,7 @@ monikerRange: "o365scc-ps"
 ## SYNOPSIS
 This cmdlet is available only in Office 365 Security & Compliance Center PowerShell. For more information, see [Office 365 Security & Compliance Center PowerShell](https://docs.microsoft.com/powershell/exchange/office-365-scc/office-365-scc-powershell).
 
-Use the New-UnifiedAuditLogRetentionPolicy cmdlet to 
+Use the New-UnifiedAuditLogRetentionPolicy cmdlet to create audit log retention policies in the Office 365 Security & Compliance Center. Audit log retention policies are used to specify a retention duration for audit logs for that are generated by admin and user activity. An audit log retention policy can specify the retention duration based on the type of audited activities, the Office 365 service that activities are performed in, or the users who performed the activities. For more information, see [Manage audit log retention policies](https://docs.microsoft.com/microsoft-365/compliance/audit-log-retention-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://docs.microsoft.com/powershell/exchange/exchange-server/exchange-cmdlet-syntax).
 
@@ -38,15 +38,22 @@ You need to be assigned permissions in the Office 365 Security & Compliance Cent
 
 ### Example 1
 ```powershell
-{{ Add example code here }}
+New-UnifiedAuditLogRetentionPolicy -Name "Microsoft Teams Audit Policy" -Description "One year retention policy for all Microsoft Teams activities" -RecordTypes MicrosoftTeams -RetentionDuration TwelveMonths -Priority 100
 ```
 
-{{ Add example description here }}
+This example creates an audit log retention policy that retains all audit logs related to Microsoft Teams events for one year.
+
+### Example 2
+```powershell
+New-UnifiedAuditLogRetentionPolicy -Name "SearchQueryPerformed by app@sharepoint" -Description "90 day retention policy for noisy SharePoint events" -RecordTypes SharePoint  -Operations SearchQueryPerformed -UserIds "app@sharepoint" -RetentionDuration ThreeMonths -Priority 10000
+```
+
+This example creates an audit log retention policy that retains all audit logs for the SearchQueryPerformed activity performed by the app@sharepoint service account for 90 days.
 
 ## PARAMETERS
 
 ### -Name
-The Name parameter specifies a unique name for the unified audit log retention policy. The maximum length is 64 characters. If the value contains spaces, enclose the value in quotation marks (").
+The Name parameter specifies a unique name for the audit log retention policy. The maximum length is 64 characters. If the value contains spaces, enclose the value in quotation marks (").
 
 ```yaml
 Type: String
@@ -62,17 +69,15 @@ Accept wildcard characters: False
 ```
 
 ### -Priority
-The Priority parameter specifies a priority value for the policy that determines the order of policy processing. A lower integer value indicates a higher priority, the value 0 is the highest priority, and policies can't have the same priority value.
+The Priority parameter specifies a priority value for the policy that determines the order of policy processing. A higher integer value indicates a higher priority, the value 10000 is the highest priority, and policies can't have the same priority value.
 
 Valid values and the default value for this parameter depend on the number of existing policies. For example, if there are 8 existing policies:
 
-- Valid priority values for the existing 8 policies are from 0 through 7.
+- Valid priority values for the existing 8 policies are from 7 through 0.
 
-- Valid priority values for a new policy (the 9th policy) are from 0 through 8.
+- Valid priority values for a new policy (the 9th policy) are from 8 through 0.
 
-- The default value for a new policy (the 9th policy) is 8.
-
-If you modify the priority value of a policy, the position of the policy in the list changes to match the priority value you specify. In other words, if you set the priority value of a policy to the same value as an existing policy, the priority value of the existing policy and all other lower priority policies after it is increased by 1.
+You must use a unique priority value when creating new audit log retention policies. Any custom audit log retention policy that you create will take precedence over the default audit log retention policy. For more information, see [Advanced audit in Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/advanced-audit).
 
 ```yaml
 Type: Int32
@@ -88,7 +93,7 @@ Accept wildcard characters: False
 ```
 
 ### -RetentionDuration
-The RetentionDuration parameter specifies how long the unified audit log records are kept. Valid values are:
+The RetentionDuration parameter specifies how long audit log records are kept.  Valid values are:
 
 - ThreeMonths
 
@@ -133,7 +138,7 @@ Accept wildcard characters: False
 ```
 
 ### -Description
-The Description parameter specifies a description for the unified audit log retention policy. The maximum length is 256 characters. If the value contains spaces, enclose the value in quotation marks (").
+The Description parameter specifies a description for the audit log retention policy. The maximum length is 256 characters. If the value contains spaces, enclose the value in quotation marks (").
 
 ```yaml
 Type: String
@@ -149,9 +154,9 @@ Accept wildcard characters: False
 ```
 
 ### -Operations
-The Operations parameter specifies the unified audit log operations that are preserved by the policy. The available values for this parameter depend on the RecordType value. For a list of the available values for this parameter, see [Audited activities](https://go.microsoft.com/fwlink/p/?LinkId=708432).
+The Operations parameter specifies the audit log operations that are retained by the policy. For a list of the available values for this parameter, see [Audited activities](https://go.microsoft.com/fwlink/p/?LinkId=708432). If you use this parameter, you must also use the RecordTypes parameter to specify the record type. You can't use this parameter if you've specified more than one value for the RecordTypes parameter.
 
-To enter multiple values, use the following syntax: \<value1\>,\<value2\>,...\<valueX\>. If the values contain spaces or otherwise require quotation marks, use the following syntax: "\<value1\>","\<value2\>",..."\<valueX\>".
+To enter multiple values, use the following syntax: \<value1\>,\<value2\>,...\<valueX\>. If the values contain spaces or otherwise require quotation marks, use the following syntax: "\<value1\>","\<value2\>",..."\<valueX\>". 
 
 ```yaml
 Type: MultiValuedProperty
@@ -167,7 +172,7 @@ Accept wildcard characters: False
 ```
 
 ### -RecordTypes
-The RecordTypes parameter specifies the record type labels that are preserved by the policy. Valid values are:
+The RecordTypes parameter specifies the audit logs of a specific record type that are retained by the policy. You can specify multiple values separated by commas. If you specify more than one value, you can't use the Operations parameter. Valid values are:
 
 - AeD
 
@@ -313,13 +318,10 @@ The RecordTypes parameter specifies the record type labels that are preserved by
 
 - Yammer
 
-You can specify multiple values separated by commas.
-
 ```yaml
 Type: MultiValuedProperty
 Parameter Sets: (All)
 Aliases:
-Accepted values: ExchangeAdmin, ExchangeItem, ExchangeItemGroup, SharePoint, SyntheticProbe, SharePointFileOperation, OneDrive, AzureActiveDirectory, AzureActiveDirectoryAccountLogon, DataCenterSecurityCmdlet, ComplianceDLPSharePoint, Sway, ComplianceDLPExchange, SharePointSharingOperation, AzureActiveDirectoryStsLogon, SkypeForBusinessPSTNUsage, SkypeForBusinessUsersBlocked, SecurityComplianceCenterEOPCmdlet, ExchangeAggregatedOperation, PowerBIAudit, CRM, Yammer, SkypeForBusinessCmdlets, Discovery, MicrosoftTeams, ThreatIntelligence, MailSubmission, MicrosoftFlow, AeD, MicrosoftStream, ComplianceDLPSharePointClassification, ThreatFinder, Project, SharePointListOperation, SharePointCommentOperation, DataGovernance, Kaizala, SecurityComplianceAlerts, ThreatIntelligenceUrl, SecurityComplianceInsights, MIPLabel, WorkplaceAnalytics, PowerAppsApp, PowerAppsPlan, ThreatIntelligenceAtpContent, LabelExplorer, TeamsHealthcare, ExchangeItemAggregated, HygieneEvent, DataInsightsRestApiAudit, InformationBarrierPolicyApplication, SharePointListItemOperation, SharePointContentTypeOperation, SharePointFieldOperation, MicrosoftTeamsAdmin, HRSignal, MicrosoftTeamsDevice, MicrosoftTeamsAnalytics, InformationWorkerProtection, Campaign, DLPEndpoint, AirInvestigation, Quarantine, MicrosoftForms, ApplicationAudit, ComplianceSupervisionExchange, CustomerKeyServiceEncryption, OfficeNative, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation, MicrosoftTeamsShifts, MipAutoLabelExchangeItem
 Applicable: Office 365 Security & Compliance Center
 
 Required: False
@@ -330,7 +332,7 @@ Accept wildcard characters: False
 ```
 
 ### -UserIds
-The UserIds parameter specifies the log entries that are retained by the policy based on the ID of the user who performed the action.
+The UserIds parameter specifies the audit logs that are retained by the policy based on the ID of the user who performed the action.
 
 To enter multiple values, use the following syntax: \<value1\>,\<value2\>,...\<valueX\>. If the values contain spaces or otherwise require quotation marks, use the following syntax: "\<value1\>","\<value2\>",..."\<valueX\>".
 

exchange/exchange-ps/exchange/policy-and-compliance-audit/Remove-UnifiedAuditLogRetentionPolicy.md

@@ -15,7 +15,7 @@ monikerRange: "o365scc-ps"
 ## SYNOPSIS
 This cmdlet is available only in Office 365 Security & Compliance Center PowerShell. For more information, see [Office 365 Security & Compliance Center PowerShell](https://docs.microsoft.com/powershell/exchange/office-365-scc/office-365-scc-powershell).
 
-Use the Set-UnifiedAuditLogRetentionPolicy cmdlet to 
+Use the Remove-UnifiedAuditLogRetentionPolicy cmdlet to delete audit log retention policies. It might take up to 30 minutes for the policy to be completely removed. For more information, see [Manage audit log retention policies](https://docs.microsoft.com/microsoft-365/compliance/audit-log-retention-policies).
 
 For information about the parameter sets in the Syntax section below, see [Exchange cmdlet syntax](https://docs.microsoft.com/powershell/exchange/exchange-server/exchange-cmdlet-syntax).
 
@@ -36,15 +36,15 @@ You need to be assigned permissions in the Office 365 Security & Compliance Cent
 
 ### Example 1
 ```powershell
-{{ Add example code here }}
+Remove-UnifiedAuditLogRetentionPolicy -Identity "SearchQueryPerformed by app@sharepoint" 
 ```
 
-{{ Add example description here }}
+This example deletes the audit log retention policy named "SearchQueryPerformed by app@sharepoint".
 
 ## PARAMETERS
 
 ### -Identity
-The Identity parameter specifies the unified audit log retention policy that you want to modify. You can use any value that uniquely identifies the policy. For example:
+The Identity parameter specifies the audit log retention policy that you want to delete. You can use any value that uniquely identifies the policy. For example:
 
 - Name