Tenant/Get-HawkTenantAuthHistory.ps1
Function Get-HawkTenantAuthHistory { Param ( [Parameter(Mandatory = $true)] $StartDate, [int]$IntervalMinutes = 15 ) # Try to convert the submitted date into [datetime] format try { [datetime]$DateToStartSearch = Get-date $StartDate } catch { Out-Logfile "[ERROR] - Unable to convert submitted date" break } # Make sure the start date isn't more than 90 days in the past if ((get-date).adddays(-91) -gt $DateToStartSearch) { Out-Logfile "[ERROR] - Start date is over 90 days in the past" break } Test-EXOConnection Send-AIEvent -Event "CmdRun" # Setup inial start and end time for the search [datetime]$CurrentStart = $DateToStartSearch [datetime]$CurrentEnd = $DateToStartSearch.AddMinutes($IntervalMinutes) # Hard stop for the end time for 48 hours this is to be a good citizen and to ensure that we actually get the data back [datetime]$end = $DateToStartSearch.AddHours(48) # Setup our file prefix so we can run multiple times with out collision [string]$prefix = get-date ($DateToStartSearch) -UFormat %Y_%d_%m # Current count so we can setup a file name and other stuff [int]$CurrentCount = 0 # Create while loop so we go thru things in intervals until we hit the end while ($currentStart -lt $end) { # Pull the unified audit log results [array]$output = Get-AllUnifiedAuditLogEntry -UnifiedSearch "Search-UnifiedAuditLog" -StartDate $currentStart -EndDate $currentEnd # See if we have results if so push to csv file if ($null -eq $output) { Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd) } else { $output | Out-MultipleFileType -FilePrefix "Audit_Log_Full_$prefix" -Append -csv } # Move our start and end times forward $currentStart = $currentEnd $currentEnd = $currentEnd.AddMinutes($intervalMinutes) # Increment our count $CurrentCount++ } <# .SYNOPSIS Gathers 48 hours worth of Unified Audit logs. Pulls everyting into a CSV file. .DESCRIPTION Connects to EXO and searches the unified audit log file only a date time filter. Searches in 15 minute increments to ensure that we gather all data. Should be used once you have used other commands to determine a "window" that needs more review. .OUTPUTS File: Audit_Log_Full_<date>.csv Path: \Tenant Description: Audit data for ALL users over a 48 hour period .EXAMPLE Get-HawkTenantAuthHistory -StartDate "10/25/2018" Gathers 48 hours worth of audit data starting at midnight on October 25th 2018 #> } |