Converted Authentication log does not seem to be generated in all instances.

[Absoblogginlutely]

I've come into scenarios where the ip's are not looked up and no converted_authentication_log file is generated. Is there a reason/criteria for when this occurs? In a compromised account today, a search over the past 10 days did run through and create the logs however a search for the past 120 days did not.
On a related note it would be good to be able to search for logs between X and Y days such as 80-90 days ago to get more details if you knew from other experience that an account was compromised around a certain date in the past.

[Canthv0]

If you could provide the logs from a run that didn't generate the converted file that would assist in being able to determine what is failing.

[Absoblogginlutely]

So I actually have an audit that ran for a user over the time period of 4/16/2019 thru 8/15/2019 that did not generate any logs.
I also happen to have another audit for the same user that ran for the time period of 8/4/2019 thru 8/15/2019 (a subset of the above) and this did generate an audit log.
It appears that the first search across a large time set generated no results, yet the results for the past 11 days did generate results.
Looking at log files and rerunning the command,from the logs i get the following.
$a=Search-UnifiedAuditLog -UserIDs myuser@example.com -RecordType ExchangeItem -StartDate '05/30/2019 00:00:00' -EndDate '08/15/2019 00:00:00'
Audit log search argument startDate should be after 5/30/2019 8:58:55 PM UTC.
+ CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], ArgumentException

Changing the start date to 5/31 I then get
$a=Search-UnifiedAuditLog -UserIDs myuser@example.com -RecordType ExchangeItem -StartDate '05/31/2019 00:00:00' -EndDate '08/15/2019 00:00:00'
$a.count
100
(100 because I didn't specify the data size.
So it looks like the logs are not returned if the start date is too soon.It looks like this is because the start date is more than 90 days ago and that is the max number that is available with an E3 licence.
Therefore the start date field should default to (get-date).adddays(-90)

Sanitized section of the log below - let me know if you need different logs.
[8/14/2019 9:21:40 AM] - [ACTION] - Retrieving Logon History for myuser@example.com
[8/14/2019 9:21:40 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryAccountLogon
[8/14/2019 9:21:40 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:40 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectoryAccountLogon -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092140
[8/14/2019 9:21:44 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:44 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectory
[8/14/2019 9:21:44 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:44 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectory -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092144
[8/14/2019 9:21:47 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:47 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon
[8/14/2019 9:21:47 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:47 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectoryStsLogon -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092147
[8/14/2019 9:21:49 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:50 AM] - [ERROR] - No results found when searching UAL for AzureActiveDirectoryAccountLogon events
[8/14/2019 9:21:51 AM] - [ACTION] - Attempting to Gather Mailbox Audit logs myuser@example.com
[8/14/2019 9:21:52 AM] - Mailbox Auditing is enabled.
[8/14/2019 9:21:52 AM] - Searching Unified Audit Log for Exchange Related Events
[8/14/2019 9:21:52 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:52 AM] - Search-UnifiedAuditLog -UserIDs myuser@example.com -RecordType ExchangeItem -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092152
[8/14/2019 9:21:55 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:55 AM] - Found 0 Exchange audit records.
[8/14/2019 9:21:55 AM] - No Data Found

logs generated
[8/14/2019 10:00:35 AM] - [ACTION] - Retrieving Logon History for myuser@example.com
[8/14/2019 10:00:36 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryAccountLogon
[8/14/2019 10:00:36 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:36 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectoryAccountLogon -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100036
[8/14/2019 10:00:43 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 10:00:43 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectory
[8/14/2019 10:00:43 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:43 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectory -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100043
[8/14/2019 10:00:46 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 10:00:46 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon
[8/14/2019 10:00:46 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:46 AM] - Search-UnifiedAuditLog -UserIds myuser@example.com -RecordType AzureActiveDirectoryStsLogon -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100046
[8/14/2019 10:01:07 AM] - Retrieved all results.
[8/14/2019 10:01:07 AM] - Retrieved:648 Total: 648
[8/14/2019 10:01:07 AM] - Converting AuditData
[8/14/2019 10:01:08 AM] - [ERROR] - 0 Entries failed JSON Conversion
[8/14/2019 10:01:08 AM] - No Data Found
[8/14/2019 10:01:08 AM] - Reading file C:\Users\ahelsby\AppData\Local\Hawk\Hawk.json
[8/14/2019 10:01:08 AM] - Building MSFTIPList
[8/14/2019 10:01:08 AM] - Loading Networking functions from C:\Program Files\WindowsPowerShell\Modules\hawk\1.10.1\System.Net.IPNetwork.dll
[8/14/2019 10:01:32 AM] - Found 0 unique MSFT IPv6 address ranges
[8/14/2019 10:01:32 AM] - Found 0 unique MSFT IPv4 address ranges
[8/14/2019 10:01:32 AM] - Creating global variable $MSFTIPList
[8/14/2019 10:02:50 AM] - Converting to Human Readable
[8/14/2019 10:03:07 AM] - Writing Data to c:\temp\hawk\naht\20190814_0959\myuser@example.com\Converted_Authentication_Logsmyuser@example.com.csv
[8/14/2019 10:03:07 AM] - Writing Data to c:\temp\hawk\naht\20190814_0959\myuser@example.com\Raw_Authentication_Logsmyuser@example.com.csv