functions/User/Start-HawkUserInvestigation.ps1

# String together the hawk user functions to pull data for a single user
Function Start-HawkUserInvestigation {
<#
.SYNOPSIS
    Gathers common data about a provided user.
.DESCRIPTION
    Runs all Hawk users related cmdlets against the specified user and gathers the data.
 
    Cmdlet Information Gathered
    ------------------------- -------------------------
    Get-HawkTenantConfigurationn Basic Tenant information
    Get-HawkUserConfiguration Basic User information
    Get-HawkUserInboxRule Searches the user for Inbox Rules
    Get-HawkUserEmailForwarding Looks for email forwarding configured on the user
    Get-HawkUserAutoReply Looks for enabled AutoReplyConfiguration
    Get-HawkuserAuthHistory Searches the unified audit log for users logons
    Get-HawkUserMailboxAuditing Searches the unified audit log for mailbox auditing information
    Get-HawkUserAdminAudit Searches the EXO Audit logs for any commands that were run against the provided user object.
    Get-HawkUserMessageTrace Pulls the email sent by the user in the last 7 days.
.PARAMETER UserPrincipalName
    Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs.
.OUTPUTS
    See help from individual cmdlets for output list.
    All outputs are placed in the $Hawk.FilePath directory
.EXAMPLE
    Start-HawkUserInvestigation -UserPrincipalName bsmith@contoso.com
 
    Runs all Get-HawkUser* cmdlets against the user with UPN bsmith@contoso.com
.EXAMPLE
 
    Start-HawkUserInvestigation -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"})
 
    Runs all Get-HawkUser* cmdlets against all users who have "C-Level" set in CustomAttribute1
#>


    param
    (
        [Parameter(Mandatory = $true)]
        [array]$UserPrincipalName
    )
    #Checking to see if Logging filepath is set
    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
        Initialize-HawkGlobalObject
    }

    Out-LogFile "Investigating Users"
    Send-AIEvent -Event "CmdRun"

    # Pull the tenent configuration
    Get-HawkTenantConfiguration

    # Verify our UPN input
    [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName

    foreach ($Object in $UserArray) {
        [string]$User = $Object.UserPrincipalName

        Out-LogFile "Running Get-HawkUserConfiguration" -action
        Get-HawkUserConfiguration -User $User

        Out-LogFile "Running Get-HawkUserInboxRule" -action
        Get-HawkUserInboxRule -User $User

        Out-LogFile "Running Get-HawkUserEmailForwarding" -action
        Get-HawkUserEmailForwarding -User $User

        Out-LogFile "Running Get-HawkUserAutoReply" -action
        Get-HawkUserAutoReply -User $User

        Out-LogFile "Running Get-HawkUserAuthHistory" -action
        Get-HawkUserAuthHistory -User $user -ResolveIPLocations

        Out-LogFile "Running Get-HawkUserMailboxAuditing" -action
        Get-HawkUserMailboxAuditing -User $User

        Out-LogFile "Running Get-HawkUserAdminAudit" -action
        Get-HawkUserAdminAudit -User $User

        Out-LogFile "Running Get-HawkUserMessageTrace" -action
        Get-HawkUserMessageTrace -user $User

        Out-LogFile "Running Get-HawkUserMobileDevice" -action
        Get-HawkUserMobileDevice -user $User
    }
}