HAWK
1.8.8
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
Hawk has moved to GitHub and is a
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
Hawk has moved to GitHub and is availble for all to contribute.
https://github.com/Canthv0/hawk
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
(c) 2019 matbyrd@microsoft.com. All rights reserved.
Package Details
Author(s)
- hawk_feedback@microsoft.com
Tags
O365 Security Audit Breach Investigation Exchange EXO Compliance Logon
Functions
Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader Get-HawkUserPWNCheck
Dependencies
-
- CloudConnect (>= 1.1.2)
- PSAppInsights (>= 0.9.6)
- RobustCloudCommand (>= 1.1.3)
Release Notes
1.8.8 - Updated required module versions to correct some connection issues
1.8.8 - Fixed issue where the wrong cmdlet was being called for Get-SweepRule
1.8.7 - Mailbox information will now include archive statistics
1.8.7 - Added Get-HawkUserPWNCheck will check HaveIBeenPWNed to see if an email is part of a public breach
1.8.6 - Fixed issue with IP Address lookup in Get-HawkUserAuthHistory (Thanks Kelvin for Feedback)
1.8.5 - Updated output from Get-HawkUserAuthHistory to remove the BASE object from the CSV
1.8.5 - Updated EXO Connection logic to renew token if it will expire in 15 minutes
1.8.5 - Fixed issue Get-HawkUserAuthHistory failing on a single entry failing JSON conversion
1.8.4 - Removed un-needed dependencies that were impacting functionality
1.8.3 - Added search for Set-InboxRule and Remove-InboxRule to Search-HawkTenantEXOAuditLog (Thanks Danny for feedback)
1.8.3 - Fixed issue with simple audit log output when caller contained "on behalf of"
1.8.2 - Removed an unused utility function
1.8.2 - Getting the token for Azure Graph now uses CloudConnect
1.8.1 - Moved to RobustCloudCommand module instead of script
1.8.0 - Leverages CloudConnect Module to connect to EXO if no current connection
1.8.0 - Updated Help for all HawkUser cmdlets
1.8.0 - Removed XML output for all HawkUser cmdlets
FileList
- Hawk.nuspec
- Hawk.psd1
- Hawk.psm1
- LICENSE
- README.md
- System.Net.IPNetwork.dll
- General\Initialize-HawkGlobalObject.ps1
- Message\Get-HawkMessageHeader.ps1
- Tenant\Get-HawkTenantAuthHistory.ps1
- Tenant\Get-HawkTenantAzureAuthenticationLogs.ps1
- Tenant\Get-HawkTenantConfiguration.ps1
- Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
- Tenant\Get-HawkTenantInboxRules.ps1
- Tenant\Get-HawkTenantOauthConsentGrants.ps1
- Tenant\Get-HawkTenantRbacChanges.ps1
- Tenant\Search-HawkTenantActivityByIP.ps1
- Tenant\Search-HawkTenantEXOAuditLog.ps1
- Tenant\Start-HawkTenantInvestigation.ps1
- User\Get-HawkUserAdminAudit.ps1
- User\Get-HawkUserAuthHistory.ps1
- User\Get-HawkUserConfiguration.ps1
- User\Get-HawkUserEmailForwarding.ps1
- User\Get-HawkUserHiddenRule.ps1
- User\Get-HawkUserInboxRule.ps1
- User\Get-HawkUserMailboxAuditing.ps1
- User\Get-HawkUserPWNCheck.ps1
- User\Start-HawkUserInvestigation.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 3.2.4 | 5,140 | 1/8/2025 |
| 3.2.3 | 352 | 1/7/2025 |
| 3.1.2 | 10,643 | 12/1/2024 |
| 3.1.0 | 39,476 | 3/30/2023 |
| 3.0.0 | 4,255 | 4/9/2022 |
| 2.0.3.2 | 4,649 | 5/7/2021 |
| 2.0.3.1 | 28 | 5/7/2021 |
| 2.0.2 | 31 | 5/7/2021 |
| 2.0.1 | 514 | 3/31/2021 |
| 2.0.0 | 1,237 | 1/5/2021 |
| 1.15.1 | 225 | 12/19/2020 |
| 1.15.0 | 3,415 | 12/19/2019 |
| 1.14.3 | 52 | 12/18/2019 |
| 1.14.2 | 366 | 11/13/2019 |
| 1.14.1 | 27 | 11/13/2019 |
| 1.14.0 | 461 | 9/25/2019 |
| 1.13.6 | 308 | 8/29/2019 |
| 1.13.3 | 61 | 8/26/2019 |
| 1.13.2 | 76 | 8/22/2019 |
| 1.13.1 | 54 | 8/21/2019 |
| 1.13.0 | 58 | 8/20/2019 |
| 1.12.1 | 30 | 8/20/2019 |
| 1.12.0 | 27 | 8/20/2019 |
| 1.10.1 | 412 | 7/9/2019 |
| 1.9.0 | 27 | 7/9/2019 |
| 1.8.8 (current version) | 29 | 7/9/2019 |
| 1.8.7 | 366 | 6/14/2019 |
| 1.8.6 | 342 | 5/24/2019 |
| 1.8.5 | 34 | 5/23/2019 |
| 1.8.4 | 59 | 5/21/2019 |
| 1.8.3 | 70 | 5/16/2019 |
| 1.8.2 | 29 | 5/16/2019 |
| 1.8.1 | 47 | 5/14/2019 |
| 1.8.0 | 30 | 5/14/2019 |
| 1.7.1 | 364 | 4/23/2019 |
| 1.6.13 | 177 | 4/12/2019 |
| 1.6.11 | 75 | 4/3/2019 |
| 1.6.9 | 535 | 12/13/2018 |
| 1.6.8 | 25 | 12/13/2018 |
| 1.6.7 | 33 | 12/12/2018 |
| 1.6.6 | 29 | 12/12/2018 |
| 1.6.5 | 30 | 12/12/2018 |
| 1.6.4 | 27 | 12/11/2018 |
| 1.6.3 | 84 | 12/10/2018 |
| 1.6.1 | 198 | 11/13/2018 |
| 1.6.0 | 29 | 11/13/2018 |
| 1.5.0 | 72 | 11/8/2018 |
| 1.4.0 | 82 | 10/30/2018 |
| 1.3.2 | 160 | 10/1/2018 |
| 1.3.1 | 31 | 10/1/2018 |
| 1.2.6 | 52 | 9/27/2018 |
| 1.2.5 | 29 | 9/27/2018 |
| 1.2.4 | 103 | 9/6/2018 |
| 1.2.3 | 203 | 7/19/2018 |
| 1.2.2 | 108 | 6/29/2018 |
| 1.2.1 | 46 | 6/26/2018 |
| 1.2.0 | 32 | 6/25/2018 |
| 1.1.4 | 344 | 5/18/2018 |