HAWK

3.1.0

functions/Tenant/Get-HawkTenantAuthHistory.ps1

                                Function Get-HawkTenantAuthHistory {

<#

.SYNOPSIS

    Gathers 48 hours worth of Unified Audit logs.

    Pulls everyting into a CSV file.

.DESCRIPTION

    Connects to EXO and searches the unified audit log file only a date time filter.

    Searches in 15 minute increments to ensure that we gather all data.

    Should be used once you have used other commands to determine a "window" that needs more review.

.PARAMETER StartDate

    Start date of authentication audit log search

.PARAMETER IntervalMinutes

    Time interval for increments

.OUTPUTS

    File: Audit_Log_Full_<date>.csv

    Path: \Tenant

    Description: Audit data for ALL users over a 48 hour period

.EXAMPLE

    Get-HawkTenantAuthHistory -StartDate "10/25/2018"

    Gathers 48 hours worth of audit data starting at midnight on October 25th 2018

#>

    Param (

        [Parameter(Mandatory = $true)]

        [datetime]$StartDate,

        [int]$IntervalMinutes = 15

    )

    # # Try to convert the submitted date into [datetime] format

    # try {

    #     [datetime]$DateToStartSearch = Get-Date $StartDate

    # }

    # catch {

    #     Out-Logfile "[ERROR] - Unable to convert submitted date"

    #     break

    # }

    # Make sure the start date isn't more than 90 days in the past

    if ((Get-Date).adddays(-91) -gt $StartDate) {

        Out-Logfile "[ERROR] - Start date is over 90 days in the past"

        break

    }

    Test-EXOConnection

    Send-AIEvent -Event "CmdRun"

    # Setup inial start and end time for the search

    [datetime]$CurrentStart = $StartDate

    [datetime]$CurrentEnd = $StartDate.AddMinutes($IntervalMinutes)

    # Hard stop for the end time for 48 hours this is to be a good citizen and to ensure that we actually get the data back

    [datetime]$end = $StartDate.AddHours(48)

    # Setup our file prefix so we can run multiple times with out collision

    [string]$prefix = Get-Date ($StartDate) -UFormat %Y_%d_%m

    # Current count so we can setup a file name and other stuff

    [int]$CurrentCount = 0

    # Create while loop so we go thru things in intervals until we hit the end

    while ($currentStart -lt $end) {

        # Pull the unified audit log results

        [array]$output = Get-AllUnifiedAuditLogEntry -UnifiedSearch "Search-UnifiedAuditLog" -StartDate $currentStart -EndDate $currentEnd

        # See if we have results if so push to csv file

        if ($null -eq $output) {

            Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd)

        }

        else {

            $output | Out-MultipleFileType -FilePrefix "Audit_Log_Full_$prefix" -Append -csv -json

        }

        # Move our start and end times forward

        $currentStart = $currentEnd

        $currentEnd = $currentEnd.AddMinutes($intervalMinutes)

        # Increment our count

        $CurrentCount++

    }

}