Tenant/Get-HawkTenantAuthHistory.ps1


Function Get-HawkTenantAuthHistory {
    Param (
        [Parameter(Mandatory = $true)]
        $StartDate,
        [int]$IntervalMinutes = 15
    )

    # Try to convert the submitted date into [datetime] format
    try {
        [datetime]$DateToStartSearch = Get-date $StartDate       
    }
    catch {
        Out-Logfile "[ERROR] - Unable to convert submitted date"
        break        
    }
    
    # Make sure the start date isn't more than 90 days in the past
    if ((get-date).adddays(-91) -gt $DateToStartSearch)
    {
        Out-Logfile "[ERROR] - Start date is over 90 days in the past"
        break
    }

    Test-EXOConnection
    Send-AIEvent -Event "CmdRun"

    # Setup inial start and end time for the search
    [datetime]$CurrentStart = $DateToStartSearch
    [datetime]$CurrentEnd = $DateToStartSearch.AddMinutes($IntervalMinutes)

    # Hard stop for the end time for 48 hours this is to be a good citizen and to ensure that we actually get the data back
    [datetime]$end = $DateToStartSearch.AddHours(48)

    # Setup our file prefix so we can run multiple times with out collision
    [string]$prefix = get-date ($DateToStartSearch) -UFormat %Y_%d_%m

    # Current count so we can setup a file name and other stuff
    [int]$CurrentCount = 0

    # Create while loop so we go thru things in intervals until we hit the end
    while ($currentStart -lt $end)
    {
        # Pull the unified audit log results
        [array]$output = Get-AllUnifiedAuditLogEntry -UnifiedSearch "Search-UnifiedAuditLog" -StartDate $currentStart -EndDate $currentEnd

        # See if we have results if so push to csv file
        if ($null -eq $output)
        {
           Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd)
        }
        else 
        {
            $output | Out-MultipleFileType -FilePrefix "Audit_Log_Full_$prefix" -Append -csv
        }

        # Move our start and end times forward
        $currentStart = $currentEnd
        $currentEnd = $currentEnd.AddMinutes($intervalMinutes)

        # Increment our count
        $CurrentCount++

    }

    <#
  
    .SYNOPSIS
    Gathers 48 hours worth of Unified Audit logs.
    Pulls everyting into a CSV file.
 
    .DESCRIPTION
    Connects to EXO and searches the unified audit log file only a date time filter.
    Searches in 15 minute increments to ensure that we gather all data.
     
    Should be used once you have used other commands to determine a "window" that needs more review.
     
    .OUTPUTS
    File: Audit_Log_Full_<date>.csv
    Path: \Tenant
    Description: Audit data for ALL users over a 48 hour period
 
    .EXAMPLE
    Get-HawkTenantAuthHistory -StartDate "10/25/2018"
 
    Gathers 48 hours worth of audit data starting at midnight on October 25th 2018
     
    #>

}