HAWK

Author(s)

• hawk_feedback@microsoft.com

Tags

O365 Security Audit Breach Investigation Exchange EXO Compliance Logon

Functions

Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader Get-HawkUserPWNCheck Get-HawkUserAutoReply Get-HawkUserMessageTrace Get-HawkUserMobileDevice

Dependencies

• • CloudConnect (>= 1.1.2)
  • PSAppInsights (>= 0.9.6)
  • RobustCloudCommand (>= 1.1.3)

Release Notes

       1.14.2 - Fixed issue with start-hawktenantinvestigation using the wrong cmdlet
       1.14.1 - Minor updates to logging etc.
       1.14.0 - Update Start-HawkTenantInvestigation and Start-HawkUserInvestigation to better log the cmdlets they are running.
       1.14.0 - Fixed issue with Get-HawkUserMailboxAuditing where it was not searching in 5 day increments like it was supposed to.
       1.14.0 - Updated Global Object code to handle new range input.
       1.14.0 - Added support for setting a date RANGE instead of X days until now.
       1.13.7 - Hawk Global object now stores datetime objects.
       1.13.7 - Cmdlets have been updated to support the change and should continue to work -- please report any issues
       1.13.7 - Hawk should now properly handle US (mm/dd/yyyy) and non-US (dd/mm/yyyy) date formats
       1.13.6 - Fixed null check issue with Search-HawkTenantActivityByIP that was generating an error when no successful logons were found.
       1.13.5 - Update Get IP code to not check Null IP Addresses.  Now puts country as "NULL IP" in those cases. (wiseleaf23)
       1.13.4 - Changed initilization order so that application insights is starting first
       1.13.3 - Fixed a Recursion with the upgrade funcationality.  If 1.13.2 was install a MANUAL update to 1.13.3 will be required. Update-Module Hawk
       1.13.2 - Fixed automatic update logic to properly update when a revision occurs
       1.13.2 - Impoved version reporting to log file
       1.13.1 - Fixed Start-HawkUserInvestigation by removing (s) from a cmdlet name
       1.13.0 - Files output to the user directory now contain _<user> this is to allow excel to open multiple CSV files with the "same" name (Suggestion from Absoblogginlutely)
       1.12.1 - Added Get-HawkUserMobileDevices to Start-HawkUserInvestigation
       1.12.0 - Added Get-HawkUserMobileDevices to gather mobile devices and flag devices to investigate
       1.11.0 - Added Get-HawkUserMessageTrace to Start-HawkUserInvestigation
       1.11.0 - Added Get-HawkUserMessageTrace to pull all email sent by a user in the last 7 days (Suggestion from Absoblogginglutely)
       1.10.2 - Fixed issue with Start-HawkUserInvestigation where there were duplicate parameters (TheSleepingFox)
       1.10.2 - Fixed Issue with Get-HawkUserAdminAudit log where an output parameter was missing (TheSleepingFox)
       1.10.2 - Get-HawkUserPWNCheck is working for now, site is going to move to an API key so updates will need to be made in the future. (Absoblogginlutely)
       1.10.1 - Corrected issue with IP address lookup code that resulted in extensive errors
       1.10.0 - Updated Test-MSOLConnection to automatically connect using Connect-MSOLService