functions/User/Get-HawkUserMailboxAuditing.ps1

function Get-HawkUserMailboxAuditing {
<#
.SYNOPSIS
    Gathers Mailbox Audit data if enabled for the user.
.DESCRIPTION
    Check if mailbox auditing is enabled for the user.
    If it is pulls the mailbox audit logs from the time period specified for the investigation.
 
    Will pull from the Unified Audit Log and the Mailbox Audit Log
.PARAMETER UserPrincipalName
    Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs.
.OUTPUTS
 
    File: Exchange_UAL_Audit.csv
    Path: \<User>
    Description: All Exchange related audit events found in the Unified Audit Log.
 
    File: Exchange_Mailbox_Audit.csv
    Path: \<User>
    Description: All Exchange related audit events found in the Mailbox Audit Log.
    .EXAMPLE
 
    Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com
 
    Search for all Mailbox Audit logs from user@contoso.com
    .EXAMPLE
 
    Get-HawkUserMailboxAuditing -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"})
 
    Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1
#>


    param
    (
        [Parameter(Mandatory = $true)]
        [array]$UserPrincipalName
    )

    Function Get-MailboxAuditLogsFiveDaysAtATime {
        param(
            [Parameter(Mandatory = $true)]
            [datetime]$StartDate,
            [Parameter(Mandatory = $true)]
            [datetime]$EndDate,
            [Parameter(Mandatory = $true)]
            $User
        )


        # Setup the initial start date
        [datetime]$RangeStart = $StartDate

        do {
            # Get the end of the Range we are going to gather data for
            [datetime] $RangeEnd = ($RangeStart.AddDays(5))
                        # Do the actual search
            Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd)
            [array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000

            # Set the RangeStart = to the RangeEnd so we do the next range
            $RangeStart = $RangeEnd
        }
        # While the start range is less than the end date we need to keep pulling in 5 day increments
        while ($RangeStart -le $EndDate)

        # Return the results object
        Return $Results

    }

    ### MAIN ###
    Test-EXOConnection
    Send-AIEvent -Event "CmdRun"

    # Verify our UPN input
    [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName

    foreach ($Object in $UserArray) {
        [string]$User = $Object.UserPrincipalName

        Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action

        # Test if mailbox auditing is enabled
        $mbx = Get-Mailbox -identity $User
        if ($mbx.AuditEnabled -eq $true) {
            # if enabled pull the mailbox auditing from the unified audit logs
            Out-LogFile "Mailbox Auditing is enabled."
            Out-LogFile "Searching Unified Audit Log for Exchange Related Events"

            $UnifiedAuditLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -UserIDs " + $User + " -RecordType ExchangeItem") | select-object -Expandproperty AuditData | convertfrom-json
            Out-LogFile ("Found " + $UnifiedAuditLogs.Count + " Exchange audit records.")

            # Output the data we found
            $UnifiedAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json

            # Search the MailboxAuditLogs as well since they may have different/more information
            Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)"

            $MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User
            Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.")

            # Output the data we found
            $MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json

        }
        # If auditing is not enabled log it and move on
        else {
            Out-LogFile ("Auditing not enabled for " + $User)
        }
    }
}