HAWK
4.0
Hawk streamlines the collection of forensic data from Microsoft 365 and Entra ID environments to help security professionals,
incident responders, and administrators quickly gather critical log data and identify potential sec
Hawk streamlines the collection of forensic data from Microsoft 365 and Entra ID environments to help security professionals,
incident responders, and administrators quickly gather critical log data and identify potential security concerns.
While it includes basic analysis capabilities to flag items of interest, it focuses on efficient data collection rather than automated detection.
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
Copyright (c) 2025 Paul Navarro
Package Details
Author(s)
- Paul Navarro Jonathan Butler Lorenzo Ireland Julius Perez
Tags
O365 Security Audit Breach Investigation Exchange EXO Compliance Logon M365 Incident-Response Solarigate
Functions
Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantConsentGrant Get-HawkTenantRBACChange Get-HawkTenantEntraIDAppAuditLog Get-HawkUserUALSignInLog Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Search-HawkTenantActivityByIP Get-HawkTenantAdminInboxRuleCreation Get-HawkTenantAdminInboxRuleModification Get-HawkTenantAdminInboxRuleRemoval Get-HawkTenantAdminMailboxPermissionChange Get-HawkTenantAdminEmailForwardingChange Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkMessageHeader Get-HawkUserPWNCheck Get-HawkUserAutoReply Get-HawkUserMessageTrace Get-HawkUserMobileDevice Get-HawkTenantEntraIDAdmin Get-HawkTenantEXOAdmin Get-HawkUserMailItemsAccessed Get-HawkUserExchangeSearchQuery Get-HawkUserMailSendActivity Get-HawkTenantAppAndSPNCredentialDetail Get-HawkTenantEntraIDUser Get-HawkTenantDomainActivity Get-HawkTenantEDiscoveryLog Get-HawkUserSharePointSearchQuery Get-HawkUserEntraIDSignInLog Get-HawkTenantEntraIDAuditLog Get-HawkTenantRiskyUsers Get-HawkTenantRiskDetections
Dependencies
- 
                                        - ExchangeOnlineManagement (>= 3.0.0)
- Microsoft.Graph.Applications (>= 2.25.0)
- Microsoft.Graph.Authentication (>= 2.25.0)
- Microsoft.Graph.Identity.DirectoryManagement (>= 2.25.0)
- Microsoft.Graph.Identity.Signins (>= 2.25.0)
- Microsoft.Graph.Reports (>= 2.25.0)
- Microsoft.Graph.Users (>= 2.25.0)
- PSAppInsights (>= 0.9.6)
- PSFramework (>= 1.12.346)
 
Release Notes
https://github.com/T0pCyber/hawk/blob/master/Hawk/changelog.md
FileList
- Hawk.nuspec
- internal\functions\Get-SimpleAdminAuditLog.ps1
- internal\scripts\license.ps1
- changelog.md
- functions\Tenant\Get-HawkTenantRiskyUsers.ps1
- internal\functions\Get-SimpleUnifiedAuditLog.ps1
- internal\scripts\postimport.ps1
- functions\Tenant\Search-HawkTenantActivityByIP.ps1
- internal\functions\Import-AzureAuthenticationLog.ps1
- internal\scripts\preimport.ps1
- Hawk.psd1
- functions\Tenant\Start-HawkTenantInvestigation.ps1
- internal\functions\Initialize-HawkGlobalObject.ps1
- internal\scripts\strings.ps1
- Hawk.psm1
- functions\User\Get-HawkUserAdminAudit.ps1
- internal\functions\Out-HawkAppData.ps1
- internal\scripts\pre_commit_hook_scripts\Invoke-PowerShellScriptAnalyzer.ps1
- readme.md
- functions\User\Get-HawkUserAutoReply.ps1
- internal\functions\Out-LogFile.ps1
- internal\tepp\assignment.ps1
- bin\readme.md
- functions\User\Get-HawkUserConfiguration.ps1
- internal\functions\Out-MultipleFileType.ps1
- internal\tepp\example.tepp.ps1
- bin\System.Net.IPNetwork.dll
- functions\User\Get-HawkUserEmailForwarding.ps1
- internal\functions\Out-Report.ps1
- internal\tepp\readme.md
- en-us\about_Hawk.help.txt
- functions\User\Get-HawkUserEntraIDSignInLog.ps1
- internal\functions\Read-HawkAppData.ps1
- internal\WorkInProgress\Get-HawkTenantInboxRule.ps1
- en-us\strings.psd1
- functions\User\Get-HawkUserExchangeSearchQuery.ps1
- internal\functions\readme.md
- internal\WorkInProgress\Get-HawkTenantMailItemsAccessed.ps1
- functions\readme.md
- functions\User\Get-HawkUserInboxRule.ps1
- internal\functions\Reset-HawkEnvironment.ps1
- internal\WorkInProgress\Get-HawkTenantUnifiedAuditLog.ps1
- functions\General\Show-HawkHelp.ps1
- functions\User\Get-HawkUserMailboxAuditing.ps1
- internal\functions\Select-UniqueObject.ps1
- internal\WorkInProgress\Get-HawkUserHiddenRule.ps1
- functions\General\Update-HawkModule.ps1
- functions\User\Get-HawkUserMailItemsAccessed.ps1
- internal\functions\Start-SleepWithProgress.ps1
- internal\WorkInProgress\readme.md
- functions\Message\Get-HawkMessageHeader.ps1
- functions\User\Get-HawkUserMailSendActivity.ps1
- internal\functions\Test-CCOConnection.ps1
- tests\pester.ps1
- functions\Tenant\Get-HawkTenantAdminEmailForwardingChange.ps1
- functions\User\Get-HawkUserMessageTrace.ps1
- internal\functions\Test-EXOConnection.ps1
- tests\readme.md
- functions\Tenant\Get-HawkTenantAdminInboxRuleCreation.ps1
- functions\User\Get-HawkUserMobileDevice.ps1
- internal\functions\Test-GraphConnection.ps1
- tests\general\FileIntegrity.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAdminInboxRuleModification.ps1
- functions\User\Get-HawkUserPWNCheck.ps1
- internal\functions\Test-HawkDateParameter.ps1
- tests\general\FileIntegrity.Tests.ps1
- functions\Tenant\Get-HawkTenantAdminInboxRuleRemoval.ps1
- functions\User\Get-HawkUserSharePointSearchQuery.ps1
- internal\functions\Test-HawkGlobalObject.ps1
- tests\general\Help.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAdminMailboxPermissionChange.ps1
- functions\User\Get-HawkUserUALSignInLog.ps1
- internal\functions\Test-HawkInvestigationParameter.ps1
- tests\general\Help.Tests.ps1
- functions\Tenant\Get-HawkTenantAppAndSPNCredentialDetail.ps1
- functions\User\Start-HawkUserInvestigation.ps1
- internal\functions\Test-HawkNonInteractiveMode.ps1
- tests\general\Manifest.Tests.ps1
- functions\Tenant\Get-HawkTenantConfiguration.ps1
- internal\configurations\configuration.ps1
- internal\functions\Test-LicenseType.ps1
- tests\general\strings.Exceptions.ps1
- functions\Tenant\Get-HawkTenantConsentGrant.ps1
- internal\configurations\PSScriptAnalyzerSettings.psd1
- internal\functions\Test-MicrosoftIP.ps1
- tests\general\strings.Tests.ps1
- functions\Tenant\Get-HawkTenantDomainActivity.ps1
- internal\configurations\readme.md
- internal\functions\Test-OperationEnabled.ps1
- tests\general\Test-PreCommitHook.ps1
- functions\Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
- internal\functions\Add-HawkAppData.ps1
- internal\functions\Test-RecipientAge.ps1
- tests\internal\functions\Convert-HawkDaysToDate.Tests.ps1
- functions\Tenant\Get-HawkTenantEDiscoveryLog.ps1
- internal\functions\Compress-HawkData.ps1
- internal\functions\Test-SuspiciousInboxRule.ps1
- tests\internal\functions\readme.md
- functions\Tenant\Get-HawkTenantEntraIDAdmin.ps1
- internal\functions\Convert-HawkDaysToDate.ps1
- internal\functions\Test-UserObject.ps1
- tests\internal\functions\Test-HawkDateParameter.Tests.ps1
- functions\Tenant\Get-HawkTenantEntraIDAppAuditLog.ps1
- internal\functions\Convert-ReportToHTML.ps1
- internal\functions\Write-HawkBanner.ps1
- tests\internal\functions\Test-HawkInvestigationParameter.Tests.ps1
- functions\Tenant\Get-HawkTenantEntraIDAuditLog.ps1
- internal\functions\Convert-RiskData.ps1
- internal\functions\Write-HawkConfigurationComplete.ps1
- xml\Hawk.Format.ps1xml
- functions\Tenant\Get-HawkTenantEntraIDUser.ps1
- internal\functions\Get-AllUnifiedAuditLogEntry.ps1
- internal\functions\Write-HawkInvestigationSummary.ps1
- xml\Hawk.Types.ps1xml
- functions\Tenant\Get-HawkTenantEXOAdmin.ps1
- internal\functions\Get-AzureADPSPermission.ps1
- internal\scriptblocks\scriptblocks.ps1
- xml\readme.md
- functions\Tenant\Get-HawkTenantRbacChange.ps1
- internal\functions\Get-HawkUserPath.ps1
- functions\Tenant\Get-HawkTenantRiskDetections.ps1
- internal\functions\Get-IPGeolocation.ps1
Version History
| Version | Downloads | Last updated | 
|---|---|---|
| 4.0 (current version) | 6,811 | 2/23/2025 | 
| 3.2.3 | 374 | 1/7/2025 | 
| 3.1.2 | 10,645 | 12/1/2024 | 
| 3.1.0 | 39,484 | 3/30/2023 | 
| 3.0.0 | 4,259 | 4/9/2022 | 
| 2.0.3.2 | 4,889 | 5/7/2021 | 
| 2.0.3.1 | 29 | 5/7/2021 | 
| 2.0.2 | 32 | 5/7/2021 | 
| 2.0.1 | 515 | 3/31/2021 | 
| 2.0.0 | 1,241 | 1/5/2021 | 
| 1.15.1 | 226 | 12/19/2020 | 
| 1.15.0 | 3,418 | 12/19/2019 | 
| 1.14.3 | 53 | 12/18/2019 | 
| 1.14.2 | 367 | 11/13/2019 | 
| 1.14.1 | 28 | 11/13/2019 | 
| 1.14.0 | 462 | 9/25/2019 | 
| 1.13.6 | 309 | 8/29/2019 | 
| 1.13.3 | 62 | 8/26/2019 | 
| 1.13.2 | 77 | 8/22/2019 | 
| 1.13.1 | 55 | 8/21/2019 | 
| 1.13.0 | 59 | 8/20/2019 | 
| 1.12.1 | 31 | 8/20/2019 | 
| 1.12.0 | 28 | 8/20/2019 | 
| 1.10.1 | 413 | 7/9/2019 | 
| 1.9.0 | 28 | 7/9/2019 | 
| 1.8.8 | 30 | 7/9/2019 | 
| 1.8.7 | 367 | 6/14/2019 | 
| 1.8.6 | 343 | 5/24/2019 | 
| 1.8.5 | 35 | 5/23/2019 | 
| 1.8.4 | 60 | 5/21/2019 | 
| 1.8.3 | 71 | 5/16/2019 | 
| 1.8.2 | 30 | 5/16/2019 | 
| 1.8.1 | 48 | 5/14/2019 | 
| 1.8.0 | 31 | 5/14/2019 | 
| 1.7.1 | 369 | 4/23/2019 | 
| 1.6.13 | 181 | 4/12/2019 | 
| 1.6.11 | 76 | 4/3/2019 | 
| 1.6.9 | 536 | 12/13/2018 | 
| 1.6.8 | 26 | 12/13/2018 | 
| 1.6.7 | 34 | 12/12/2018 | 
| 1.6.6 | 30 | 12/12/2018 | 
| 1.6.5 | 31 | 12/12/2018 | 
| 1.6.4 | 28 | 12/11/2018 | 
| 1.6.3 | 85 | 12/10/2018 | 
| 1.6.1 | 199 | 11/13/2018 | 
| 1.6.0 | 30 | 11/13/2018 | 
| 1.5.0 | 73 | 11/8/2018 | 
| 1.4.0 | 83 | 10/30/2018 | 
| 1.3.2 | 161 | 10/1/2018 | 
| 1.3.1 | 32 | 10/1/2018 | 
| 1.2.6 | 53 | 9/27/2018 | 
| 1.2.5 | 30 | 9/27/2018 | 
| 1.2.4 | 104 | 9/6/2018 | 
| 1.2.3 | 204 | 7/19/2018 | 
| 1.2.2 | 109 | 6/29/2018 | 
| 1.2.1 | 47 | 6/26/2018 | 
| 1.2.0 | 33 | 6/25/2018 | 
| 1.1.4 | 345 | 5/18/2018 |