HAWK

1.8.3

The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is a
The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is availble for all to contribute.
https://github.com/Canthv0/hawk
Show more

Minimum PowerShell version

5.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name HAWK -RequiredVersion 1.8.3

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name HAWK -Version 1.8.3

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2019 matbyrd@microsoft.com. All rights reserved.

Package Details

Author(s)

  • hawk_feedback@microsoft.com

Tags

O365 Security Audit Breach Investigation Exchange EXO Compliance Logon

Functions

Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader

Dependencies

Release Notes

1.8.3 - Added search for Set-InboxRule and Remove-InboxRule to Search-HawkTenantEXOAuditLog (Thanks Danny for feedback)
       1.8.3 - Fixed issue with simple audit log output when caller contained "on behalf of"
       1.8.2 - Removed an unused utility function
       1.8.2 - Getting the token for Azure Graph now uses CloudConnect
       1.8.1 - Moved to RobustCloudCommand module instead of script
       1.8.0 - Leverages CloudConnect Module to connect to EXO if no current connection
       1.8.0 - Updated Help for all HawkUser cmdlets
       1.8.0 - Removed XML output for all HawkUser cmdlets
       1.7.1 - Fixed issues with Initialize-HawkGlobalObject where some switches were not defaulting to False
       1.7.1 - Removed xml output from Get-HawkUserMailboxAuditing as part of continued output cleanup/streamlining
       1.7.1 - Updated Help on Get-HawkUserMailboxAuditing
       1.7.1 - Get-HawkUserMailboxAuditing now searches the Mailbox Audit Log as well as the Unified Audit Log
       1.7.0 - Rework of Initialize-HawkGlobalObject to now accept swtiches to facilitate scripting Hawk Commands
       1.7.0 - Further help updates
       1.7.0 - Moved Initialize-HawkGlobalObject into its own ps1 file in the General Folder
       1.6.11 - Get-HawkMessageHeader removed HTML output outputs to CSV now
       1.6.11 - Started working thru help documentation
       1.6.9 - Corrected an issue that would cause excessive memory usage on Get-HawkTenantAzureAuthenticationLogs
       1.6.5 - Updates to Get-HawkTenantAzureAuthenticationLogs to better diagnose issues (addtional)
       1.6.4 - Updates to Get-HawkTenantAzureAuthenticationLogs to better diagnose issues
       1.6.2 - Updated Help on Get-HawkUserHiddenRule with what to do with the output
       1.6.2 - Fixed issue with output of Get-HawkUserHiddenRule to output ID and priority into a text file
       1.6.2 - Updated name of Get-HawkUserHiddenRule to be in line with naming convention
       1.6.1 - Added Azure AppInsight integration
       

FileList

Version History

Version Downloads Last updated
3.1.0 37,297 3/30/2023
3.0.0 4,252 4/9/2022
2.0.3.2 4,559 5/7/2021
2.0.3.1 28 5/7/2021
2.0.2 31 5/7/2021
2.0.1 514 3/31/2021
2.0.0 1,236 1/5/2021
1.15.1 225 12/19/2020
1.15.0 3,415 12/19/2019
1.14.3 52 12/18/2019
1.14.2 366 11/13/2019
1.14.1 27 11/13/2019
1.14.0 461 9/25/2019
1.13.6 308 8/29/2019
1.13.3 61 8/26/2019
1.13.2 76 8/22/2019
1.13.1 54 8/21/2019
1.13.0 58 8/20/2019
1.12.1 30 8/20/2019
1.12.0 27 8/20/2019
1.10.1 412 7/9/2019
1.9.0 27 7/9/2019
1.8.8 29 7/9/2019
1.8.7 366 6/14/2019
1.8.6 342 5/24/2019
1.8.5 34 5/23/2019
1.8.4 59 5/21/2019
1.8.3 (current version) 70 5/16/2019
1.8.2 29 5/16/2019
1.8.1 47 5/14/2019
1.8.0 30 5/14/2019
1.7.1 364 4/23/2019
1.6.13 176 4/12/2019
1.6.11 75 4/3/2019
1.6.9 534 12/13/2018
1.6.8 25 12/13/2018
1.6.7 33 12/12/2018
1.6.6 29 12/12/2018
1.6.5 30 12/12/2018
1.6.4 27 12/11/2018
1.6.3 84 12/10/2018
1.6.1 198 11/13/2018
1.6.0 29 11/13/2018
1.5.0 72 11/8/2018
1.4.0 82 10/30/2018
1.3.2 160 10/1/2018
1.3.1 31 10/1/2018
1.2.6 52 9/27/2018
1.2.5 29 9/27/2018
1.2.4 103 9/6/2018
1.2.3 203 7/19/2018
1.2.2 108 6/29/2018
1.2.1 46 6/26/2018
1.2.0 32 6/25/2018
1.1.4 344 5/18/2018
Show less