HAWK
3.2.4
Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
The Hawk is designed to ease the burden on M365 administrators who are performing Cloud forensic tasks for their organization.
It accelerates the gathering of data from multiple sources in the service that be used to quickly identify malicious presence and activity.
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
Copyright (c) 2025 Paul Navarro
Package Details
Author(s)
- Paul Navarro Jonathan Butler
Tags
O365 Security Audit Breach Investigation Exchange EXO Compliance Logon M365 Incident-Response Solarigate
Functions
Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRule Get-HawkTenantConsentGrant Get-HawkTenantRBACChange Get-HawkTenantAzureAppAuditLog Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Search-HawkTenantActivityByIP Get-HawkTenantAdminInboxRuleCreation Get-HawkTenantAdminInboxRuleModification Get-HawkTenantAdminInboxRuleRemoval Get-HawkTenantAdminMailboxPermissionChange Get-HawkTenantAdminEmailForwardingChange Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuditLog Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader Get-HawkUserPWNCheck Get-HawkUserAutoReply Get-HawkUserMessageTrace Get-HawkUserMobileDevice Get-HawkTenantEntraIDAdmin Get-HawkTenantEXOAdmin Get-HawkTenantMailItemsAccessed Get-HawkTenantAppAndSPNCredentialDetail Get-HawkTenantEntraIDUser Get-HawkTenantDomainActivity Get-HawkTenantEDiscoveryLog
Dependencies
-
- ExchangeOnlineManagement (>= 3.0.0)
- Microsoft.Graph.Applications (>= 2.25.0)
- Microsoft.Graph.Authentication (>= 2.25.0)
- Microsoft.Graph.Identity.DirectoryManagement (>= 2.25.0)
- Microsoft.Graph.Identity.Signins (>= 2.25.0)
- Microsoft.Graph.Reports (>= 2.25.0)
- Microsoft.Graph.Users (>= 2.25.0)
- PSAppInsights (>= 0.9.6)
- PSFramework (>= 1.12.346)
Release Notes
https://github.com/T0pCyber/hawk/blob/master/Hawk/changelog.md
FileList
- Hawk.nuspec
- internal\functions\Add-HawkAppData.ps1
- internal\functions\Test-UserObject.ps1
- changelog.md
- functions\Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
- internal\functions\Compress-HawkData.ps1
- internal\functions\Write-HawkBanner.ps1
- functions\Tenant\Get-HawkTenantEDiscoveryLog.ps1
- internal\functions\Convert-ReportToHTML.ps1
- internal\scriptblocks\scriptblocks.ps1
- Hawk.psd1
- functions\Tenant\Get-HawkTenantEntraIDAdmin.ps1
- internal\functions\Get-AllUnifiedAuditLogEntry.ps1
- internal\scripts\license.ps1
- Hawk.psm1
- functions\Tenant\Get-HawkTenantEntraIDUser.ps1
- internal\functions\Get-AzureADPSPermission.ps1
- internal\scripts\postimport.ps1
- readme.md
- functions\Tenant\Get-HawkTenantEXOAdmin.ps1
- internal\functions\Get-HawkUserPath.ps1
- internal\scripts\preimport.ps1
- bin\readme.md
- functions\Tenant\Get-HawkTenantInboxRule.ps1
- internal\functions\Get-IPGeolocation.ps1
- internal\scripts\strings.ps1
- bin\System.Net.IPNetwork.dll
- functions\Tenant\Get-HawkTenantMailItemsAccessed.ps1
- internal\functions\Get-SimpleAdminAuditLog.ps1
- internal\scripts\pre_commit_hook_scripts\Invoke-PowerShellScriptAnalyzer.ps1
- en-us\about_Hawk.help.txt
- functions\Tenant\Get-HawkTenantRbacChange.ps1
- internal\functions\Get-SimpleUnifiedAuditLog.ps1
- internal\tepp\assignment.ps1
- en-us\strings.psd1
- functions\Tenant\Search-HawkTenantActivityByIP.ps1
- internal\functions\Import-AzureAuthenticationLog.ps1
- internal\tepp\example.tepp.ps1
- functions\readme.md
- functions\Tenant\Start-HawkTenantInvestigation.ps1
- internal\functions\Initialize-HawkGlobalObject.ps1
- internal\tepp\readme.md
- functions\General\Show-HawkHelp.ps1
- functions\User\Get-HawkUserAdminAudit.ps1
- internal\functions\Out-HawkAppData.ps1
- tests\pester.ps1
- functions\General\Update-HawkModule.ps1
- functions\User\Get-HawkUserAuthHistory.ps1
- internal\functions\Out-LogFile.ps1
- tests\readme.md
- functions\Message\Get-HawkMessageHeader.ps1
- functions\User\Get-HawkUserAutoReply.ps1
- internal\functions\Out-MultipleFileType.ps1
- tests\functions\readme.md
- functions\Tenant\Get-HawkTenantAdminEmailForwardingChange.ps1
- functions\User\Get-HawkUserConfiguration.ps1
- internal\functions\Out-Report.ps1
- tests\general\FileIntegrity.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAdminInboxRuleCreation.ps1
- functions\User\Get-HawkUserEmailForwarding.ps1
- internal\functions\Read-HawkAppData.ps1
- tests\general\FileIntegrity.Tests.ps1
- functions\Tenant\Get-HawkTenantAdminInboxRuleModification.ps1
- functions\User\Get-HawkUserHiddenRule.ps1
- internal\functions\readme.md
- tests\general\Help.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAdminInboxRuleRemoval.ps1
- functions\User\Get-HawkUserInboxRule.ps1
- internal\functions\Select-UniqueObject.ps1
- tests\general\Help.Tests.ps1
- functions\Tenant\Get-HawkTenantAdminMailboxPermissionChange.ps1
- functions\User\Get-HawkUserMailboxAuditing.ps1
- internal\functions\Start-SleepWithProgress.ps1
- tests\general\Manifest.Tests.ps1
- functions\Tenant\Get-HawkTenantAppAndSPNCredentialDetail.ps1
- functions\User\Get-HawkUserMessageTrace.ps1
- internal\functions\Test-CCOConnection.ps1
- tests\general\strings.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAuditLog.ps1
- functions\User\Get-HawkUserMobileDevice.ps1
- internal\functions\Test-EXOConnection.ps1
- tests\general\strings.Tests.ps1
- functions\Tenant\Get-HawkTenantAuthHistory.ps1
- functions\User\Get-HawkUserPWNCheck.ps1
- internal\functions\Test-GraphConnection.ps1
- tests\general\Test-PreCommitHook.ps1
- functions\Tenant\Get-HawkTenantAzureAppAuditLog.ps1
- functions\User\Start-HawkUserInvestigation.ps1
- internal\functions\Test-MicrosoftIP.ps1
- xml\Hawk.Format.ps1xml
- functions\Tenant\Get-HawkTenantConfiguration.ps1
- internal\configurations\configuration.ps1
- internal\functions\Test-RecipientAge.ps1
- xml\Hawk.Types.ps1xml
- functions\Tenant\Get-HawkTenantConsentGrant.ps1
- internal\configurations\PSScriptAnalyzerSettings.psd1
- internal\functions\Test-SuspiciousInboxRule.ps1
- xml\readme.md
- functions\Tenant\Get-HawkTenantDomainActivity.ps1
- internal\configurations\readme.md
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 3.2.4 (current version) | 5,379 | 1/8/2025 |
| 3.2.3 | 352 | 1/7/2025 |
| 3.1.2 | 10,643 | 12/1/2024 |
| 3.1.0 | 39,476 | 3/30/2023 |
| 3.0.0 | 4,255 | 4/9/2022 |
| 2.0.3.2 | 4,650 | 5/7/2021 |
| 2.0.3.1 | 28 | 5/7/2021 |
| 2.0.2 | 31 | 5/7/2021 |
| 2.0.1 | 514 | 3/31/2021 |
| 2.0.0 | 1,237 | 1/5/2021 |
| 1.15.1 | 225 | 12/19/2020 |
| 1.15.0 | 3,415 | 12/19/2019 |
| 1.14.3 | 52 | 12/18/2019 |
| 1.14.2 | 366 | 11/13/2019 |
| 1.14.1 | 27 | 11/13/2019 |
| 1.14.0 | 461 | 9/25/2019 |
| 1.13.6 | 308 | 8/29/2019 |
| 1.13.3 | 61 | 8/26/2019 |
| 1.13.2 | 76 | 8/22/2019 |
| 1.13.1 | 54 | 8/21/2019 |
| 1.13.0 | 58 | 8/20/2019 |
| 1.12.1 | 30 | 8/20/2019 |
| 1.12.0 | 27 | 8/20/2019 |
| 1.10.1 | 412 | 7/9/2019 |
| 1.9.0 | 27 | 7/9/2019 |
| 1.8.8 | 29 | 7/9/2019 |
| 1.8.7 | 366 | 6/14/2019 |
| 1.8.6 | 342 | 5/24/2019 |
| 1.8.5 | 34 | 5/23/2019 |
| 1.8.4 | 59 | 5/21/2019 |
| 1.8.3 | 70 | 5/16/2019 |
| 1.8.2 | 29 | 5/16/2019 |
| 1.8.1 | 47 | 5/14/2019 |
| 1.8.0 | 30 | 5/14/2019 |
| 1.7.1 | 364 | 4/23/2019 |
| 1.6.13 | 177 | 4/12/2019 |
| 1.6.11 | 75 | 4/3/2019 |
| 1.6.9 | 535 | 12/13/2018 |
| 1.6.8 | 25 | 12/13/2018 |
| 1.6.7 | 33 | 12/12/2018 |
| 1.6.6 | 29 | 12/12/2018 |
| 1.6.5 | 30 | 12/12/2018 |
| 1.6.4 | 27 | 12/11/2018 |
| 1.6.3 | 84 | 12/10/2018 |
| 1.6.1 | 198 | 11/13/2018 |
| 1.6.0 | 29 | 11/13/2018 |
| 1.5.0 | 72 | 11/8/2018 |
| 1.4.0 | 82 | 10/30/2018 |
| 1.3.2 | 160 | 10/1/2018 |
| 1.3.1 | 31 | 10/1/2018 |
| 1.2.6 | 52 | 9/27/2018 |
| 1.2.5 | 29 | 9/27/2018 |
| 1.2.4 | 103 | 9/6/2018 |
| 1.2.3 | 203 | 7/19/2018 |
| 1.2.2 | 108 | 6/29/2018 |
| 1.2.1 | 46 | 6/26/2018 |
| 1.2.0 | 32 | 6/25/2018 |
| 1.1.4 | 344 | 5/18/2018 |