It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
Hawk has moved to GitHub and is a
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
Hawk has moved to GitHub and is availble for all to contribute.
Minimum PowerShell version
Installation Options
(c) 2017 matbyrd@microsoft.com. All rights reserved.
Package Details
- hawk_feedback@microsoft.com
O365 Security Audit Breach Investigation Exchange EXO Compliance Logon
Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit
This module has no dependencies.
Release Notes
1.3.2 - Fixed issue with JSON conversion throwing errors on duplicate properties
1.3.1 - Updated Get-HawkUserAuthHistory to generate fewer files that are more readable
1.3.1 - Updated Get-HawkUserAuthHistory to gather more authentication data
1.2.6 - Included EMS sku in list of SKUs that can do advanced AD searches as the azure P1 plan is part of that SKU
1.2.5 - Fixed issue with search-adminaudit log where in one instance it was only searching 14 days
1.2.5 - Updated output files for Get-HawkUserAuthHistory to be more clear about what they contain
1.2.5 - Updated output for Get-HawkUserAuthHistory so that it will always return all files
1.2.4 - Updated with GitHub Link
1.2.4 - Added Get-HawkUserAdminAudit to return all exo shell changes recorded in the admin audit log for a given user
1.2.3 - Fixed issue where geoip lookups were failing
1.2.3 - GeoIp lookups are now using http://api.ipstack.com/ users will need to provide their own API key due to 10k per month limit on free accounts
1.2.3 - Introduced storing Hawk Data between sessions by storing in %localappdata%\hawk\hawk.json
1.2.2 - Fixed issue where Get-HawkTenantAzureAuthenticationLogs was only retrieving 1000 results
1.2.1 - Fixed issues with accepting input on -userprincipalname where it would better accept all three cases String,Array of Strings,Array of Objects
1.2.1 - Fixed an issue with Get-HawkTenantInboxRules where it would fail if there was a space in the path to the module
1.2.0 - Get-HawkTenantEXOAuditLog RunDate timezone was ambiguous. It now outputs in UTC and calls that out.
1.2.0 - Updated Description
1.2.0 - Moved all exported function out of hawk.psm1 into seperate ps1 files. This should make things easier to manage / read.
- Hawk.nuspec
- Hawk.psd1
- Hawk.psm1
- Microsoft.IdentityModel.Clients.ActiveDirectory.dll
- Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll
- Start-RobustCloudCommand.ps1
- System.Net.IPNetwork.dll
- .git\config
- .git\description
- .git\HEAD
- .git\index
- .git\ORIG_HEAD
- .git\packed-refs
- Tenant\Get-HawkTenantAzureAuthenticationLogs.ps1
- Tenant\Get-HawkTenantConfiguration.ps1
- Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
- Tenant\Get-HawkTenantInboxRules.ps1
- Tenant\Get-HawkTenantOauthConsentGrants.ps1
- Tenant\Get-HawkTenantRbacChanges.ps1
- Tenant\Search-HawkTenantActivityByIP.ps1
- Tenant\Search-HawkTenantEXOAuditLog.ps1
- Tenant\Start-HawkTenantInvestigation.ps1
- User\Get-HawkUserAdminAudit.ps1
- User\Get-HawkUserAuthHistory.ps1
- User\Get-HawkUserConfiguration.ps1
- User\Get-HawkUserEmailForwarding.ps1
- User\Get-HawkUserInboxRule.ps1
- User\Get-HawkUserMailboxAuditing.ps1
- User\Start-HawkUserInvestigation.ps1
- .git\hooks\applypatch-msg.sample
- .git\hooks\commit-msg.sample
- .git\hooks\fsmonitor-watchman.sample
- .git\hooks\post-update.sample
- .git\hooks\pre-applypatch.sample
- .git\hooks\pre-commit.sample
- .git\hooks\pre-push.sample
- .git\hooks\pre-rebase.sample
- .git\hooks\pre-receive.sample
- .git\hooks\prepare-commit-msg.sample
- .git\hooks\update.sample
- .git\info\exclude
- .git\logs\HEAD
- .git\objects\01\08f69c29bd12ac1e562dc469b6ba700ab77bda
- .git\objects\02\439362bca363b0236f4a56a7f596890b0a3111
- .git\objects\07\b55bafb0e4dc849474edef6743ee22f2afe69f
- .git\objects\0d\ec768ddd4d0e5820736d1ed09537e513184f37
- .git\objects\10\3bece649f3a3bafe8f9e865cb34c022c04b92f
- .git\objects\11\ad9e492204d19cbe4dc6a861b596e07718adba
- .git\objects\12\5e93eadd835e92756858a05f91e7a6c4528ac2
- .git\objects\24\4ff97994b52d0e9483efce280b93c2af4665df
- .git\objects\29\615bd9a90c458bf8d0eeb1455718623cab1cbd
- .git\objects\2b\966495725566e4748e42ba4d7f309d49eb2e49
- .git\objects\2e\048721e8096c213b1612b7a1bb1360e105d164
- .git\objects\2f\f69a953422cb224968d90d5b1b6cf1f819eb31
- .git\objects\30\d2c053e49b791d1bd99883bc06dcf3a19c0034
- .git\objects\32\398675abb1ba4009da6154b1aa21ced39dbe84
- .git\objects\32\812dfac338057717be726f78e1a9a2175768bd
- .git\objects\3b\d6d95a1aefee1e59133f944ea8c54c2e0ca902
- .git\objects\3b\e44f49b6a6177ce112f36fc730c24e696a923a
- .git\objects\3d\6227062ac52312f3415d049330a20d7a59ce24
- .git\objects\3f\533561c7636f174d3b5c2dbf5d0069e957d8ed
- .git\objects\41\7b210a02ee319d51d6f403600c5ff9a043e659
- .git\objects\43\7f861fb3cdd69962b09c10ca7483226d5b83e7
- .git\objects\50\103234b4d068ee79ab3b3e5b2df3f14e4843d7
- .git\objects\53\06629ce3aa3d433445d98873c666701153f7f8
- .git\objects\53\d0d686a1178faab0738f339647247fdc858143
- .git\objects\5b\3b7728de38f4d3a6ee13850bcac0abe05131ef
- .git\objects\5b\9691b9fd32e184731590b084e150c5c32f172c
- .git\objects\5c\0100727bbdab3b133deed80a4283217e9e00c3
- .git\objects\5d\fe575dfe7b00e55190f1baacdeae76885d4adf
- .git\objects\61\3264fec6c6b82170e6105d16ee9952062fac18
- .git\objects\62\b3f29eb40e730f4cf25593d40e2b84e78bb601
- .git\objects\69\917692ec0e5950eaf110df1207f0f55b240cca
- .git\objects\6b\764940687f44c213cf28ad349749d470635bd6
- .git\objects\75\b64885b0cf0d351de56acfc927917d00ea054e
- .git\objects\77\a51b69adfe94c5e503d935ab48ff4b2fd97ee0
- .git\objects\77\e78dba4c28d74a0cf199b791f919a49b1b73da
- .git\objects\78\28b387c508d08f780a47082cf9c379d6bc41f8
- .git\objects\7b\93b5ae6af76ee72777afcd4af1162b76821f8f
- .git\objects\7d\60855daf15bd6d4f604734e0bb5134837fa7f5
- .git\objects\7e\46f1a07636a020911cb286effa006cdd637889
- .git\objects\8e\9a3071f029ec0418bbff8104aba325fd1c3887
- .git\objects\97\7970b69493eb61a0b265322f4b00e789b1786f
- .git\objects\97\cbb1c848a08e1d034067ac7ce0742c32e328c5
- .git\objects\9c\394c6606bc927e3aeab9f4e8a225143b2a6f2b
- .git\objects\9c\d7cf1eae36525c5b4635c749ae1d2ea15899db
- .git\objects\9d\cad59dc81ef33079f617c123234966cd5cc140
- .git\objects\9f\acea8acab1c206463a59705dbc249b45e5a8f0
- .git\objects\a1\753a6ab4433d3867ac4ff3309363f9723b1528
- .git\objects\a9\140fc95c8f1b3f3d6ea95317b3c9794253d456
- .git\objects\b7\883c26e47ac7cc801717d213d0bdeb1c0c6855
- .git\objects\bb\c3bb0b713d0f1b2b6dba10bc7c92bb9f5838f2
- .git\objects\bd\1b369cc72d95d2c29d8b9409cf18197b8b4f8c
- .git\objects\bf\07f6fa3b2000f815a4e73491a6875b2cd17834
- .git\objects\c3\429466ac4481d86d76d10fb4ca12a163bcfd40
- .git\objects\ca\e6308e4958e09e6c5d17150d2a1411c156f796
- .git\objects\ce\01bf0a54137d233f8f921aa8782fa992404b12
- .git\objects\d0\82cc979a7ab322d43ee9e6646052df6d7d0d4c
- .git\objects\d0\8ad8caf7319194c12f8497ead5c40a91b740b8
- .git\objects\d1\2b526f9c48fa65595b2df0d638729868197702
- .git\objects\df\bd21a0ce637a95cd548c2080e6bf626860045a
- .git\objects\e1\1ca6d0f002935add0b6de9d9c7f1769d5ebcfd
- .git\objects\ea\65e52dc334b1144383ae151f5ad581c9643ea9
- .git\objects\ed\bcbcac5ff14ce2f80815a48c460e713bee748b
- .git\objects\f1\b17287d0137ec352edb92c0808293c9809afee
- .git\objects\f2\c99ecde33aeb5bebf87906c52f8847959afab2
- .git\objects\f6\36ec66cfbc9521a52f21776544f2a95b49705d
- .git\objects\ff\3108be1ca8975eea9336c3195fda25b565c481
- .git\objects\ff\62de3313c9cda7a8d8f60500f7abe53f443a86
- .git\refs\heads\master
- .git\logs\refs\heads\master
- .git\refs\remotes\origin\HEAD
- .git\refs\remotes\origin\master
- .git\logs\refs\remotes\origin\HEAD
- .git\logs\refs\remotes\origin\master
Version History
Version | Downloads | Last updated |
4.0 | 3,623 | 2/23/2025 |
3.2.4 | 11,880 | 1/8/2025 |
3.2.3 | 359 | 1/7/2025 |
3.1.2 | 10,643 | 12/1/2024 |
3.1.0 | 39,476 | 3/30/2023 |
3.0.0 | 4,255 | 4/9/2022 | | 4,687 | 5/7/2021 | | 28 | 5/7/2021 |
2.0.2 | 31 | 5/7/2021 |
2.0.1 | 514 | 3/31/2021 |
2.0.0 | 1,239 | 1/5/2021 |
1.15.1 | 225 | 12/19/2020 |
1.15.0 | 3,415 | 12/19/2019 |
1.14.3 | 52 | 12/18/2019 |
1.14.2 | 366 | 11/13/2019 |
1.14.1 | 27 | 11/13/2019 |
1.14.0 | 461 | 9/25/2019 |
1.13.6 | 308 | 8/29/2019 |
1.13.3 | 61 | 8/26/2019 |
1.13.2 | 76 | 8/22/2019 |
1.13.1 | 54 | 8/21/2019 |
1.13.0 | 58 | 8/20/2019 |
1.12.1 | 30 | 8/20/2019 |
1.12.0 | 27 | 8/20/2019 |
1.10.1 | 412 | 7/9/2019 |
1.9.0 | 27 | 7/9/2019 |
1.8.8 | 29 | 7/9/2019 |
1.8.7 | 366 | 6/14/2019 |
1.8.6 | 342 | 5/24/2019 |
1.8.5 | 34 | 5/23/2019 |
1.8.4 | 59 | 5/21/2019 |
1.8.3 | 70 | 5/16/2019 |
1.8.2 | 29 | 5/16/2019 |
1.8.1 | 47 | 5/14/2019 |
1.8.0 | 30 | 5/14/2019 |
1.7.1 | 364 | 4/23/2019 |
1.6.13 | 177 | 4/12/2019 |
1.6.11 | 75 | 4/3/2019 |
1.6.9 | 535 | 12/13/2018 |
1.6.8 | 25 | 12/13/2018 |
1.6.7 | 33 | 12/12/2018 |
1.6.6 | 29 | 12/12/2018 |
1.6.5 | 30 | 12/12/2018 |
1.6.4 | 27 | 12/11/2018 |
1.6.3 | 84 | 12/10/2018 |
1.6.1 | 198 | 11/13/2018 |
1.6.0 | 29 | 11/13/2018 |
1.5.0 | 72 | 11/8/2018 |
1.4.0 | 82 | 10/30/2018 |
1.3.2 (current version) | 160 | 10/1/2018 |
1.3.1 | 31 | 10/1/2018 |
1.2.6 | 52 | 9/27/2018 |
1.2.5 | 29 | 9/27/2018 |
1.2.4 | 103 | 9/6/2018 |
1.2.3 | 203 | 7/19/2018 |
1.2.2 | 108 | 6/29/2018 |
1.2.1 | 46 | 6/26/2018 |
1.2.0 | 32 | 6/25/2018 |
1.1.4 | 344 | 5/18/2018 |