Functions/Audit/Get-SecurityAuditPolicySetting.ps1

<#
    .SYNOPSIS
        Get one audit policy setting on the local system.
 
    .DESCRIPTION
        This command uses the auditpol.exe command to get the current audit
        policy setting for the local system and parse the output for the target
        setting.
 
    .INPUTS
        None.
 
    .OUTPUTS
        System.Boolean. Return true if the audit policy is enabled, false if not.
 
    .EXAMPLE
        PS C:\> Get-SecurityAuditPolicySetting -Category 'Object Access' -Subcategory 'File System' -Setting 'Success'
        Returns the current setting for success audit on the file system object
        access audit policy.
 
    .LINK
        https://github.com/claudiospizzi/SecurityFever
#>

function Get-SecurityAuditPolicySetting
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        # Audit policy category
        [Parameter(Mandatory = $true)]
        [System.String]
        $Category,

        # Audit policy subcategory
        [Parameter(Mandatory = $true)]
        [System.String]
        $Subcategory,

        # Audit policy setting
        [Parameter(Mandatory = $true)]
        [ValidateSet('Success', 'Failure')]
        [System.String]
        $Setting
    )

    $auditPolicies = Get-SecurityAuditPolicy

    foreach ($auditPolicy in $auditPolicies)
    {
        if ($auditPolicy.Category -eq $Category -and $auditPolicy.Subcategory -eq $Subcategory)
        {
            switch ($Setting)
            {
                'Success' { return $auditPolicy.AuditSuccess }
                'Failure' { return $auditPolicy.AuditFailure }
            }
        }
    }

    throw "No audit policy found for category $Category and subcategory $Subcategory."
}