HAWK

1.10.1

The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is a
The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is availble for all to contribute.
https://github.com/Canthv0/hawk

Minimum PowerShell version

5.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name HAWK -RequiredVersion 1.10.1

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deloy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

hawk_feedback@microsoft.com

Copyright

(c) 2019 matbyrd@microsoft.com. All rights reserved.

Owners

Tags

O365 Security Audit Breach Investigation Exchange EXO Compliance Logon

Functions

Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader Get-HawkUserPWNCheck Get-HawkUserAutoReply

Dependencies

Release Notes


       1.10.1 - Corrected issue with IP address lookup code that resulted in extensive errors
       1.10.0 - Updated Test-MSOLConnection to automatically connect using Connect-MSOLService
       1.9.0 - Checked in to pull requests
       1.9.0 - Added Get-HawkUserAutoReply to pull autoreply information (thx chrish012)
       1.9.0 - Fix for mailbox audit logs and non us dates (thx imcfarla2003)
       1.8.8 - Updated required module versions to correct some connection issues
       1.8.8 - Fixed issue where the wrong cmdlet was being called for Get-SweepRule
       1.8.7 - Mailbox information will now include archive statistics
       1.8.7 - Added Get-HawkUserPWNCheck will check HaveIBeenPWNed to see if an email is part of a public breach
       1.8.6 - Fixed issue with IP Address lookup in Get-HawkUserAuthHistory (Thanks Kelvin for Feedback)
       1.8.5 - Updated output from Get-HawkUserAuthHistory to remove the BASE object from the CSV
       1.8.5 - Updated EXO Connection logic to renew token if it will expire in 15 minutes
       1.8.5 - Fixed issue Get-HawkUserAuthHistory failing on a single entry failing JSON conversion
       1.8.4 - Removed un-needed dependencies that were impacting functionality
       1.8.3 - Added search for Set-InboxRule and Remove-InboxRule to Search-HawkTenantEXOAuditLog (Thanks Danny for feedback)
       1.8.3 - Fixed issue with simple audit log output when caller contained "on behalf of"
       1.8.2 - Removed an unused utility function
       1.8.2 - Getting the token for Azure Graph now uses CloudConnect
       1.8.1 - Moved to RobustCloudCommand module instead of script
       1.8.0 - Leverages CloudConnect Module to connect to EXO if no current connection
       1.8.0 - Updated Help for all HawkUser cmdlets
       1.8.0 - Removed XML output for all HawkUser cmdlets
       

Version History

Version Downloads Last updated
1.13.2 39 8/22/2019
1.13.1 31 8/21/2019
1.13.0 33 8/20/2019
1.12.1 7 8/20/2019
1.12.0 4 8/20/2019
1.10.1 (current version) 385 7/9/2019
1.9.0 4 7/9/2019
1.8.8 4 7/9/2019
1.8.7 342 6/14/2019
1.8.6 315 5/24/2019
1.8.5 11 5/23/2019
1.8.4 35 5/21/2019
1.8.3 47 5/16/2019
1.8.2 5 5/16/2019
1.8.1 24 5/14/2019
1.8.0 5 5/14/2019
1.7.1 185 4/23/2019
1.6.13 127 4/12/2019
1.6.11 51 4/3/2019
1.6.9 483 12/13/2018
1.6.8 2 12/13/2018
1.6.7 10 12/12/2018
1.6.6 6 12/12/2018
1.6.5 7 12/12/2018
1.6.4 4 12/11/2018
1.6.3 27 12/10/2018
1.6.1 150 11/13/2018
1.6.0 5 11/13/2018
1.5.0 47 11/8/2018
1.4.0 59 10/30/2018
1.3.2 134 10/1/2018
1.3.1 8 10/1/2018
1.2.6 29 9/27/2018
1.2.5 6 9/27/2018
1.2.4 77 9/6/2018
1.2.3 178 7/19/2018
1.2.2 84 6/29/2018
1.2.1 18 6/26/2018
1.2.0 8 6/25/2018
1.1.4 251 5/18/2018
Show less