HAWK

1.2.0

The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization. It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

YouTube Playlist:
https://www.yo/

Minimum PowerShell version

5.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name HAWK -RequiredVersion 1.2.0

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name HAWK -Version 1.2.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

Package Details

Author(s)

hawk_feedback@microsoft.com

Functions

Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule

Dependencies

This module has no dependencies.

Release Notes

       1.2.0 - Get-HawkTenantEXOAuditLog RunDate timezone was ambiguous. It now outputs in UTC and calls that out.
       1.2.0 - Updated Description
       1.2.0 - Moved all exported function out of hawk.psm1 into seperate ps1 files. This should make things easier to manage / read.
       1.1.4 - Fixed issue where incorrect logging cmdlet was being called
       1.1.3 - Removed Compress-HawkData cmdlet
       1.1.3 - Update description, URL, and Icon
       1.1.2 - Fixed issue with using the wrong account to try and access the windows graph API
       1.1.1 - All files related to the tenenat are now put in the \Tenant directory
       1.1.1 - Reduced the number of text files generated as output
       1.1.1 - Updated Get-HawkTenantAzureAuthenticationLogs to use user credentials instead of APP credentials
       1.1.0 - New Cmdlet Get-HawkTenantAzureAuthenticationLogs will gather Azure AD Sign In logs if you have P1 or P2 license
       1.0.1 - Fixed issue with date range validation failing occasionally
       1.0.0 - BREAKING CHANGE - HawkUser cmdlets now take -UserPrincipalName instead of -User
       1.0.0 - -UserPrincipalName supports providing list of UPNs or array of objects with UserPrincipalName properties
       1.0.0 - Fixed minor issue with incorrect output to the screen when testing for EXO connections

FileList

Hawk.nuspec
Hawk.psd1
Hawk.psm1
Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll
Start-RobustCloudCommand.ps1
System.Net.IPNetwork.dll
Tenant\Get-HawkTenantAzureAuthenticationLogs.ps1
Tenant\Get-HawkTenantConfiguration.ps1
Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
Tenant\Get-HawkTenantInboxRules.ps1
Tenant\Get-HawkTenantOauthConsentGrants.ps1
Tenant\Get-HawkTenantRbacChanges.ps1
Tenant\Search-HawkTenantActivityByIP.ps1
Tenant\Search-HawkTenantEXOAuditLog.ps1
Tenant\Start-HawkTenantInvestigation.ps1
User\Get-HawkUserAuthHistory.ps1
User\Get-HawkUserConfiguration.ps1
User\Get-HawkUserEmailForwarding.ps1
User\Get-HawkUserInboxRule.ps1
User\Get-HawkUserMailboxAuditing.ps1
User\Start-HawkUserInvestigation.ps1

Version History

Version	Downloads	Last updated
3.2.4	6,118	1/8/2025
3.2.3	352	1/7/2025
3.1.2	10,643	12/1/2024
3.1.0	39,476	3/30/2023
3.0.0	4,255	4/9/2022
2.0.3.2	4,653	5/7/2021
2.0.3.1	28	5/7/2021
2.0.2	31	5/7/2021
2.0.1	514	3/31/2021
2.0.0	1,237	1/5/2021
1.15.1	225	12/19/2020
1.15.0	3,415	12/19/2019
1.14.3	52	12/18/2019
1.14.2	366	11/13/2019
1.14.1	27	11/13/2019
1.14.0	461	9/25/2019
1.13.6	308	8/29/2019
1.13.3	61	8/26/2019
1.13.2	76	8/22/2019
1.13.1	54	8/21/2019
1.13.0	58	8/20/2019
1.12.1	30	8/20/2019
1.12.0	27	8/20/2019
1.10.1	412	7/9/2019
1.9.0	27	7/9/2019
1.8.8	29	7/9/2019
1.8.7	366	6/14/2019
1.8.6	342	5/24/2019
1.8.5	34	5/23/2019
1.8.4	59	5/21/2019
1.8.3	70	5/16/2019
1.8.2	29	5/16/2019
1.8.1	47	5/14/2019
1.8.0	30	5/14/2019
1.7.1	364	4/23/2019
1.6.13	177	4/12/2019
1.6.11	75	4/3/2019
1.6.9	535	12/13/2018
1.6.8	25	12/13/2018
1.6.7	33	12/12/2018
1.6.6	29	12/12/2018
1.6.5	30	12/12/2018
1.6.4	27	12/11/2018
1.6.3	84	12/10/2018
1.6.1	198	11/13/2018
1.6.0	29	11/13/2018
1.5.0	72	11/8/2018
1.4.0	82	10/30/2018
1.3.2	160	10/1/2018
1.3.1	31	10/1/2018
1.2.6	52	9/27/2018
1.2.5	29	9/27/2018
1.2.4	103	9/6/2018
1.2.3	203	7/19/2018
1.2.2	108	6/29/2018
1.2.1	46	6/26/2018
1.2.0 (current version)	32	6/25/2018
1.1.4	344	5/18/2018

Show less