
# Search for any changes made to RBAC in the search window and report them
Function Get-HawkTenantDomainActivity {
    Looks for any changes made to M365 Domains. Permissions required to make the changes that thsi function is
    looking for is "Domain Name Administrator" or "Global Administrator
    Searches the EXO Audit logs for the following commands being run.
    Update Domain
    Add Verified Domain
    Add Unverified Domain
    File: Domain_Activity_Changes.csv
    Path: \
    Description: All Domain activity actions
    File: Domain_Activity_Changes.xml
    Path: \XML
    Description: All Domain configuration actions
    Searches for all Domain configuration actions

        # Check if Hawk object exists and is fully initialized
        if (Test-HawkGlobalObject) {

        Send-AIEvent -Event "CmdRun"

        Out-LogFile "Initiating collection of domain configuration changes from the UAL." -Action
        # Search UAL audit logs for any Domain configuration changes
        $DomainConfigurationEvents = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Set-AcceptedDomain','Add-FederatedDomain','Update Domain','Add verified domain', 'Add unverified domain', 'remove unverified domain'")
        # If null we found no changes to nothing to do here
            if ($null -eq $DomainConfigurationEvents){
            Out-LogFile "Get-HawkTenantDomainActivity completed successfully" -Information
            Out-LogFile "No Domain configuration changes found." -Action
        # If not null then we must have found some events so flag them
            Out-LogFile "Domain configuration changes found." -Notice
            Out-LogFile "Please review these Domain_Changes_Audit to ensure any changes are legitimate." -Notice

            # Go thru each even and prepare it to output to CSV
            Foreach ($event in $DomainConfigurationEvents){
                $log1 = $event.auditdata | ConvertFrom-Json
                $domainarray = $log1.ModifiedProperties
                $useragentarray = $log1.ExtendedProperties
                if ($domainarray){
                    $result1 = ($log1.ModifiedProperties.NewValue).Split('"')
                    $Domain = $result1[1]
                else {
                    $Domain = "Domain Not Provided by Audit Log"
                if ($useragentarray){
                    $result2 = ($log1.ExtendedProperties.Value).Split('"')
                    $UserAgentString = $result2[3]
                else {
                    $UserAgentString = "User Agent String Found"
            $newlog = $log1 | Select-Object -Property CreationTime,
                @{Name='User Agent String';Expression={$UserAgentString}},

            $event | Out-MultipleFileType -fileprefix "Domain_Changes_Audit" -csv -append
            $log1 | Out-MultipleFileType -fileprefix "Domain_Changes_Audit" -json -append
    Out-LogFile "Completed collection of domain configuration changes from the UAL." -Information
}#End Function Get-HawkTenantDomainActivity