HAWK

1.6.9

The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is a
The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.  It accelerates the gathering of data from multiple sources in the service.

It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.

Hawk has moved to GitHub and is availble for all to contribute.
https://github.com/Canthv0/hawk

Minimum PowerShell version

5.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name HAWK

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deloy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

hawk_feedback@microsoft.com

Copyright

(c) 2017 matbyrd@microsoft.com. All rights reserved.

Owners

Tags

O365 Security Audit Breach Investigation Exchange EXO Compliance Logon

Functions

Get-HawkTenantAzureAuthenticationLogs Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantOauthConsentGrants Get-HawkTenantRBACChanges Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Initialize-HawkGlobalObject Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader

Dependencies

Release Notes

1.6.9 - Corrected an issue that would cause excessive memory usage on Get-HawkTenantAzureAuthenticationLogs
       1.6.5 - Updates to Get-HawkTenantAzureAuthenticationLogs to better diagnose issues (addtional)
       1.6.4 - Updates to Get-HawkTenantAzureAuthenticationLogs to better diagnose issues
       1.6.2 - Updated Help on Get-HawkUserHiddenRule with what to do with the output
       1.6.2 - Fixed issue with output of Get-HawkUserHiddenRule to output ID and priority into a text file
       1.6.2 - Updated name of Get-HawkUserHiddenRule to be in line with naming convention
       1.6.1 - Added Azure AppInsight integration
       1.6.0 - Added Get-HawkMessageHeader cmdlet to pull and analyse the header from an MSG file
       1.6.0 - Added support for sending data to an XML file that can be transformed with an XSLT
       1.6.0 - Published XSLT template to Azure
       1.5.0 - Added Get-HawkUserHiddenRule - Uses EWS Impersonation to search for Hidden inbox rules in a user mailbox (BETA)
       1.4.0 - Fixed issue with list of SKUs that can do Advanced AD searches
       1.4.0 - Added Get-HawkTenantAuthHistory.  It will return 48 hours with of unified audit logs for all users.
       1.3.2 - Fixed issue with JSON conversion throwing errors on duplicate properties
       1.3.1 - Updated Get-HawkUserAuthHistory to generate fewer files that are more readable
       1.3.1 - Updated Get-HawkUserAuthHistory to gather more authentication data
       

  • Hawk.nuspec
  • Hawk.psd1
  • Hawk.psm1
  • LICENSE
  • Microsoft.IdentityModel.Clients.ActiveDirectory.dll
  • Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll
  • README.md
  • Report.xsl
  • Start-RobustCloudCommand.ps1
  • System.Net.IPNetwork.dll
  • .git\COMMIT_EDITMSG
  • .git\config
  • .git\description
  • .git\FETCH_HEAD
  • .git\HEAD
  • .git\index
  • .git\ORIG_HEAD
  • .git\packed-refs
  • Message\Get-HawkMessageHeader.ps1
  • Tenant\Get-HawkTenantAuthHistory.ps1
  • Tenant\Get-HawkTenantAzureAuthenticationLogs.ps1
  • Tenant\Get-HawkTenantConfiguration.ps1
  • Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
  • Tenant\Get-HawkTenantInboxRules.ps1
  • Tenant\Get-HawkTenantOauthConsentGrants.ps1
  • Tenant\Get-HawkTenantRbacChanges.ps1
  • Tenant\Search-HawkTenantActivityByIP.ps1
  • Tenant\Search-HawkTenantEXOAuditLog.ps1
  • Tenant\Start-HawkTenantInvestigation.ps1
  • User\Get-HawkUserAdminAudit.ps1
  • User\Get-HawkUserAuthHistory.ps1
  • User\Get-HawkUserConfiguration.ps1
  • User\Get-HawkUserEmailForwarding.ps1
  • User\Get-HawkUserHiddenRule.ps1
  • User\Get-HawkUserInboxRule.ps1
  • User\Get-HawkUserMailboxAuditing.ps1
  • User\Start-HawkUserInvestigation.ps1
  • .git\hooks\applypatch-msg.sample
  • .git\hooks\commit-msg.sample
  • .git\hooks\fsmonitor-watchman.sample
  • .git\hooks\post-update.sample
  • .git\hooks\pre-applypatch.sample
  • .git\hooks\pre-commit.sample
  • .git\hooks\pre-push.sample
  • .git\hooks\pre-rebase.sample
  • .git\hooks\pre-receive.sample
  • .git\hooks\prepare-commit-msg.sample
  • .git\hooks\update.sample
  • .git\info\exclude
  • .git\logs\HEAD
  • .git\objects\01\08f69c29bd12ac1e562dc469b6ba700ab77bda
  • .git\objects\01\86983e926a358cdd94bf8b74e5638b48cc7c26
  • .git\objects\02\439362bca363b0236f4a56a7f596890b0a3111
  • .git\objects\02\d08e23983bd777eda13880e91bc0a251f24bb1
  • .git\objects\05\89abd19713680cba3d24f5d5ffe8232165c392
  • .git\objects\05\e3943a92b42965402945c44b28edbc538f1f3e
  • .git\objects\07\b55bafb0e4dc849474edef6743ee22f2afe69f
  • .git\objects\0a\8a3e5d35a2738a7027b45fa38fa03eccca5086
  • .git\objects\0b\12d3f24bbbc07e4407b3a716ff0062294389a1
  • .git\objects\0c\40c699375f0b3938ece928ea03a605e3d67ec8
  • .git\objects\0c\c440d12c358b0e879f9a276b83495de8a25e15
  • .git\objects\0d\a02a5f7f6749ca713ab9c4471992c72b2d88fd
  • .git\objects\0d\ca1037b13cced7ba55289ebe19394eed9f3916
  • .git\objects\0d\ec768ddd4d0e5820736d1ed09537e513184f37
  • .git\objects\0f\b1912d9d2a574cddcfbd8c163244dc160624dd
  • .git\objects\10\06b799f6260cd7feb4b3b5cd7eb49cad5ec428
  • .git\objects\10\3bece649f3a3bafe8f9e865cb34c022c04b92f
  • .git\objects\11\ad9e492204d19cbe4dc6a861b596e07718adba
  • .git\objects\12\5e93eadd835e92756858a05f91e7a6c4528ac2
  • .git\objects\15\19e2e232578cfb0243775980523d93dc53c844
  • .git\objects\15\68ffa2132a726f7c1d33b96fb91a9cb404e391
  • .git\objects\16\67b162ba8b39d1b88120788660240c28077043
  • .git\objects\16\a9f368b046821788b1442e5239c11020601fd5
  • .git\objects\1d\86835c110f61fbea715e6bb2f0a8ba3dde9e50
  • .git\objects\1e\24abf041768059bab5516a939d94ec84aafe4b
  • .git\objects\1e\78aabc80de49d0dddc732fd6726cf2757cc1bd
  • .git\objects\1e\b920d71780ebd2640383eea91a06015928ea5b
  • .git\objects\21\329d248d5a089a29efdca530ed6d4e45e04f0b
  • .git\objects\22\07d384930d422b3aea31d27ca0a6d30ec87939
  • .git\objects\23\1d1dd0ff288f87ebadda14604b62fca31b1bb4
  • .git\objects\23\de63aa9478b435587faa9de76c6a3f07d17ba4
  • .git\objects\24\4ff97994b52d0e9483efce280b93c2af4665df
  • .git\objects\25\d06ee9fbdcf99ab2651f45a003faee57be6d8d
  • .git\objects\26\325da9cf4a217bf0f0245889979a94200fcc99
  • .git\objects\26\9fc8070fa226fd278b75326376cb9c8e64e198
  • .git\objects\26\e467e6094f381d21420d0ffde7998ef58a0dfa
  • .git\objects\29\615bd9a90c458bf8d0eeb1455718623cab1cbd
  • .git\objects\2b\966495725566e4748e42ba4d7f309d49eb2e49
  • .git\objects\2e\048721e8096c213b1612b7a1bb1360e105d164
  • .git\objects\2f\f69a953422cb224968d90d5b1b6cf1f819eb31
  • .git\objects\30\d2c053e49b791d1bd99883bc06dcf3a19c0034
  • .git\objects\32\398675abb1ba4009da6154b1aa21ced39dbe84
  • .git\objects\32\812dfac338057717be726f78e1a9a2175768bd
  • .git\objects\33\7b2a51dde01b22fd4f8a8e36274f9e77d99b4e
  • .git\objects\33\a7ce072205a36e13bede916cac4a23b8a5b50e
  • .git\objects\37\1932547ed9cddffc454e3ceb87f72d944833df
  • .git\objects\37\f10856a43ac7431b23203102843d30447b6bcb
  • .git\objects\38\37efffa7367b039f2f144c25364c8ad2f210b8
  • .git\objects\38\d069cdae22b9ae592fe49d781197822e2995b1
  • .git\objects\39\7387c7d0b7b1b389ae2ee0d88f05d88967a695
  • .git\objects\3b\d6d95a1aefee1e59133f944ea8c54c2e0ca902
  • .git\objects\3b\e44f49b6a6177ce112f36fc730c24e696a923a
  • .git\objects\3c\01922b1cd486069edfc017afb5408a8dc55a5f
  • .git\objects\3d\6227062ac52312f3415d049330a20d7a59ce24
  • .git\objects\3f\533561c7636f174d3b5c2dbf5d0069e957d8ed
  • .git\objects\40\ce3f11746373437ab5d83a747d13957635eef0
  • .git\objects\40\d5287fa364873d2aceb6ed5e28e2a38c68928b
  • .git\objects\41\7b210a02ee319d51d6f403600c5ff9a043e659
  • .git\objects\41\7ba947fc6ac2eed9454c6adb0e5606ea165c03
  • .git\objects\43\7f861fb3cdd69962b09c10ca7483226d5b83e7
  • .git\objects\46\3e25fe0dc570bb902bc55c97b6b4c2e6337f7a
  • .git\objects\47\c685451199e08ec204d493cf6d6d815d780852
  • .git\objects\47\dd7b4b43c04eacf8dd65ba75b79189a17b2538
  • .git\objects\4a\390370d750c8f7107b2ea6ccdde38bfbff84d5
  • .git\objects\4b\ec872d619e9bce21111a8b3895d4c1f197e4c0
  • .git\objects\4c\75596f50f7e23483832d4598176508bd48a0d9
  • .git\objects\4d\c8e8884568c7ba948ef0468ac966f4d3c70f1c
  • .git\objects\4f\dade3c665d776ea51bf8ada6ca34750e14fc70
  • .git\objects\50\103234b4d068ee79ab3b3e5b2df3f14e4843d7
  • .git\objects\50\783f7365ba9966fd10a182c366d8f8657ace0b
  • .git\objects\52\e342de10c387ea7e4e84fd57c4f907784c3c5a
  • .git\objects\53\06629ce3aa3d433445d98873c666701153f7f8
  • .git\objects\53\d0d686a1178faab0738f339647247fdc858143
  • .git\objects\55\a87470d08ca8b05a304fd92c58ad64683f5123
  • .git\objects\57\43caf2d3d317efc1665728de8efb9fd3e242ee
  • .git\objects\57\c58aaba86d1a9367a570a6fb76cc9c8a243ddc
  • .git\objects\57\cd2724cc19eba287620d22ca884ec68cfe44fd
  • .git\objects\59\85b79c9227c19c22a08007c05ecaaec115fd66
  • .git\objects\5b\1e18ff73f8eedb6fbbf6df21b999c31a94d31f
  • .git\objects\5b\3b7728de38f4d3a6ee13850bcac0abe05131ef
  • .git\objects\5b\9691b9fd32e184731590b084e150c5c32f172c
  • .git\objects\5c\0100727bbdab3b133deed80a4283217e9e00c3
  • .git\objects\5d\fe575dfe7b00e55190f1baacdeae76885d4adf
  • .git\objects\60\40148951fe3f8950e8e6ebe5672733fa0332cd
  • .git\objects\61\3264fec6c6b82170e6105d16ee9952062fac18
  • .git\objects\61\5fe0116ec2027b8e76ec2a11c05ceff2c80e4e
  • .git\objects\61\71be627a3ab38459bd67d50c26310af133e8ba
  • .git\objects\62\b3f29eb40e730f4cf25593d40e2b84e78bb601
  • .git\objects\65\de910ca0eeb20ffdeda3f04acb97a02b16a3c6
  • .git\objects\69\917692ec0e5950eaf110df1207f0f55b240cca
  • .git\objects\6a\5846442b157f07dfae9c2f2fd43b5b37cf974a
  • .git\objects\6a\74435689435c72a76c2fa531d634445f50d38a
  • .git\objects\6b\764940687f44c213cf28ad349749d470635bd6
  • .git\objects\6c\20bdd62df281df3b2b32738c3d51116a3c0310
  • .git\objects\6e\6ad77c560cbcb85a0297b8910eb58fb4d4c509
  • .git\objects\72\718729d79484851c125762dd251d34b72f3226
  • .git\objects\72\9f634dd64af6a02deb6478477ef6c4cb7f4ed1
  • .git\objects\75\b64885b0cf0d351de56acfc927917d00ea054e
  • .git\objects\77\a51b69adfe94c5e503d935ab48ff4b2fd97ee0
  • .git\objects\77\e78dba4c28d74a0cf199b791f919a49b1b73da
  • .git\objects\78\28b387c508d08f780a47082cf9c379d6bc41f8
  • .git\objects\7b\93b5ae6af76ee72777afcd4af1162b76821f8f
  • .git\objects\7c\2a8ab092cd9772d33de364ccff789a86e20544
  • .git\objects\7d\4cb616886ca08085878bd2cfd5c22ce5167462
  • .git\objects\7d\60855daf15bd6d4f604734e0bb5134837fa7f5
  • .git\objects\7d\6c092f9af2f8eaab7e9deb3d118a92cca97d12
  • .git\objects\7e\46f1a07636a020911cb286effa006cdd637889
  • .git\objects\7f\f1dbf6f58a7b226ca3c2de0087c66c219bc298
  • .git\objects\82\0a3d62f9562e3c7d2f6c27515de26de7110154
  • .git\objects\86\495ebdb0812870db50631f3278be6b45436622
  • .git\objects\88\02ee817b503a198f9b72fde8de9a6faa2d5009
  • .git\objects\88\824026858ecacd6e936da9f92124c570a7f740
  • .git\objects\8a\72b2aaf87753908559ce67694018b4e42515c5
  • .git\objects\8a\ddcca1842a5e2db7212f7bea24d5d97c929f1d
  • .git\objects\8b\9159d032a750bf5b4ee4aed823baaec8e6095f
  • .git\objects\8e\200a4f106d312478b71e122d1ab2f6f1175f81
  • .git\objects\8e\9a3071f029ec0418bbff8104aba325fd1c3887
  • .git\objects\92\e7bc3f3bfc867e4f9af4926e969a0d4184181e
  • .git\objects\94\8bba8ff2e470e40eae3941a615a7744a5df378
  • .git\objects\96\0f8af0d8bedf9b05ad20b3ce93ac5a0adb8a34
  • .git\objects\97\7970b69493eb61a0b265322f4b00e789b1786f
  • .git\objects\97\cbb1c848a08e1d034067ac7ce0742c32e328c5
  • .git\objects\99\697528856d7fae622fa75688038ddd38e9a2f5
  • .git\objects\9a\ef807d953ed9c961e40750ebf51bb9b5811633
  • .git\objects\9b\6e59a79c50b2822db15361efccc3c6e763dc46
  • .git\objects\9c\394c6606bc927e3aeab9f4e8a225143b2a6f2b
  • .git\objects\9c\d7cf1eae36525c5b4635c749ae1d2ea15899db
  • .git\objects\9d\cad59dc81ef33079f617c123234966cd5cc140
  • .git\objects\9f\2f53eab89ee5bc1429c8956ed238b8e2cee623
  • .git\objects\9f\acea8acab1c206463a59705dbc249b45e5a8f0
  • .git\objects\a1\753a6ab4433d3867ac4ff3309363f9723b1528
  • .git\objects\a1\f6156d998e9b043ba79fb1052137a1300b6480
  • .git\objects\a4\7eb6f7d1e230f6156f0c41bf4330cda0614a70
  • .git\objects\a9\140fc95c8f1b3f3d6ea95317b3c9794253d456
  • .git\objects\a9\c8f701c416df5d153cfacd252f7f8c11f0bc70
  • .git\objects\aa\6d213677b9604de7831f745460f3d505931a83
  • .git\objects\aa\b69442dd5598357d553751d6056c76f7f5189c
  • .git\objects\ad\3607d78af21441088b5338c9d77c9f854480a9
  • .git\objects\b1\17e017dfa410987b8b6ff05f35fe104fa18da7
  • .git\objects\b3\98aca73bfd3271cc0f78e431391c94c455de79
  • .git\objects\b4\a893d02cefe4759eb89710cd05248fe4a7b70a
  • .git\objects\b7\28b7d737468ba9b3500b6a9924f28341bf91f6
  • .git\objects\b7\849a8efeeede4756c88b35dffafa365addff86
  • .git\objects\b7\883c26e47ac7cc801717d213d0bdeb1c0c6855
  • .git\objects\b9\62c9d5ff870f26b79b8b3a76553f42d6c3766b
  • .git\objects\bb\7ac75878dd92907276f2cb455963ac4349420e
  • .git\objects\bb\c3bb0b713d0f1b2b6dba10bc7c92bb9f5838f2
  • .git\objects\bd\1b369cc72d95d2c29d8b9409cf18197b8b4f8c
  • .git\objects\bd\c103c4e648072c433bc5fa051d9d67fa88818f
  • .git\objects\bf\07f6fa3b2000f815a4e73491a6875b2cd17834
  • .git\objects\c2\94e04fd41818a597f748b818eff98d9fe605ee
  • .git\objects\c3\429466ac4481d86d76d10fb4ca12a163bcfd40
  • .git\objects\c3\5e2280caa6842149ad72d57c7e956de1b3bda1
  • .git\objects\c4\8155790f4d44eb64f827e5b2ece247b485dd27
  • .git\objects\c8\4a37fd104b82a0df7b480a7cd58528454eeca1
  • .git\objects\c9\2986f6578734a825fa11f97f0d60cc88d0656c
  • .git\objects\ca\e6308e4958e09e6c5d17150d2a1411c156f796
  • .git\objects\cb\6d02e6498f76019305cd5bd15f3aca3261d795
  • .git\objects\ce\01bf0a54137d233f8f921aa8782fa992404b12
  • .git\objects\cf\43d251961a7b41696ae2d52276ff4071f05d80
  • .git\objects\d0\82cc979a7ab322d43ee9e6646052df6d7d0d4c
  • .git\objects\d0\8ad8caf7319194c12f8497ead5c40a91b740b8
  • .git\objects\d1\2b526f9c48fa65595b2df0d638729868197702
  • .git\objects\d2\8b0daaceae95a518d9c22c83c1c8cd89afb3c9
  • .git\objects\d3\077018c7f98ea1fc04bd819aef00e1eeaf9e74
  • .git\objects\d3\a89cd31c71424dccb9a3ce37e5f32547927055
  • .git\objects\d8\47b000157cf312257eb64bd174efe21096f154
  • .git\objects\d8\b6710105385c03d20cdf7813ac53515e7c17b1
  • .git\objects\db\e55f505ea4c0fcbe6ab36669bcc889f5c94488
  • .git\objects\dc\8992d4296be8092ced3b4738b1765ed1f77fca
  • .git\objects\dd\698664a8c769c46d01852e7c42b1a42cc95bcf
  • .git\objects\dd\8186fbe238e76d09b978277817a95d43be3b2d
  • .git\objects\dd\ca046994558b8d4085845aba6a4f48e86d3ce0
  • .git\objects\de\5fc0a449b354329ed435ef72f5e9f2a9949436
  • .git\objects\df\bd21a0ce637a95cd548c2080e6bf626860045a
  • .git\objects\e1\1b303e81971d503daf7f244073444a43ac875d
  • .git\objects\e1\1ca6d0f002935add0b6de9d9c7f1769d5ebcfd
  • .git\objects\e1\80477a5a51e5bb758716775898f0f406736168
  • .git\objects\e1\95ceea1bbaeb7f45ab377bf819ddc90f1c2e00
  • .git\objects\e4\2bc2e4f4d15d33aee1b9379dcd5d51c1271ae4
  • .git\objects\e4\579f17312ea59b2c21541179cf3f23a937a1b0
  • .git\objects\e5\477d955db5f738025c9d0f4c5c396bc51877e7
  • .git\objects\e7\d6555dce1affbc4f7a0c648ee7fd558cdf4157
  • .git\objects\e8\54fd40afc66702d9457913877b0d6e2e689bf9
  • .git\objects\ea\65e52dc334b1144383ae151f5ad581c9643ea9
  • .git\objects\eb\8addae0c692940a9f5b21ce45322a7b5b90401
  • .git\objects\ed\bcbcac5ff14ce2f80815a48c460e713bee748b
  • .git\objects\f0\8ecafaa9d772cf6d2b2568b2138000644b25e0
  • .git\objects\f1\b17287d0137ec352edb92c0808293c9809afee
  • .git\objects\f1\de9117d804162cbef74e97fe81235ab5c68742
  • .git\objects\f2\c99ecde33aeb5bebf87906c52f8847959afab2
  • .git\objects\f4\937943cf4c519ea6bc6d69773207c3a90ac460
  • .git\objects\f5\3163706de48e40b772094bbeeb2d6b782b50ff
  • .git\objects\f6\36ec66cfbc9521a52f21776544f2a95b49705d
  • .git\objects\f7\1bd2c2af53414c682b116110fc3a7f001472a3
  • .git\objects\fa\e27c99541962edebcd7fa1fbc0e4269992e0d3
  • .git\objects\fe\9460b3296da99a5272f10577918897c90ec774
  • .git\objects\fe\e1388981179aebf7cfedac3cdaada08c8df420
  • .git\objects\fe\e5ffc12e088f6a83aef6e181a93fa5ca365031
  • .git\objects\ff\3108be1ca8975eea9336c3195fda25b565c481
  • .git\objects\ff\62de3313c9cda7a8d8f60500f7abe53f443a86
  • .git\refs\heads\master
  • .git\logs\refs\heads\master
  • .git\refs\remotes\origin\HEAD
  • .git\refs\remotes\origin\master
  • .git\logs\refs\remotes\origin\HEAD
  • .git\logs\refs\remotes\origin\master

Version History

Version Downloads Last updated
1.6.9 (current version) 230 12/13/2018
1.6.8 1 12/13/2018
1.6.7 9 12/12/2018
1.6.6 5 12/12/2018
1.6.5 6 12/12/2018
1.6.4 3 12/11/2018
1.6.3 16 12/10/2018
1.6.1 136 11/13/2018
1.6.0 4 11/13/2018
1.5.0 45 11/8/2018
1.4.0 58 10/30/2018
1.3.2 132 10/1/2018
1.3.1 7 10/1/2018
1.2.6 28 9/27/2018
1.2.5 5 9/27/2018
1.2.4 73 9/6/2018
1.2.3 177 7/19/2018
1.2.2 83 6/29/2018
1.2.1 17 6/26/2018
1.2.0 7 6/25/2018
1.1.4 204 5/18/2018