HAWK
3.1.2
Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
The Hawk is designed to ease the burden on M365 administrators who are performing Cloud forensic tasks for their organization.
It accelerates the gathering of data from multiple sources in the service that be used to quickly identify malicious presence and activity.
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
Copyright (c) 2023 Paul Navarro
Package Details
Author(s)
- Paul Navarro
Tags
O365 Security Audit Breach Investigation Exchange EXO Compliance Logon M365 Incident-Response Solarigate
Functions
Get-HawkTenantConfiguration Get-HawkTenantEDiscoveryConfiguration Get-HawkTenantInboxRules Get-HawkTenantConsentGrants Get-HawkTenantRBACChanges Get-HawkTenantAzureAppAuditLog Get-HawkUserAuthHistory Get-HawkUserConfiguration Get-HawkUserEmailForwarding Get-HawkUserInboxRule Get-HawkUserMailboxAuditing Search-HawkTenantActivityByIP Search-HawkTenantEXOAuditLog Show-HawkHelp Start-HawkTenantInvestigation Start-HawkUserInvestigation Update-HawkModule Get-HawkUserAdminAudit Get-HawkTenantAuditLog Get-HawkTenantAuthHistory Get-HawkUserHiddenRule Get-HawkMessageHeader Get-HawkUserPWNCheck Get-HawkUserAutoReply Get-HawkUserMessageTrace Get-HawkUserMobileDevice Get-HawkTenantAZAdmins Get-HawkTenantEXOAdmins Get-HawkTenantMailItemsAccessed Get-HawkTenantAppAndSPNCredentialDetails Get-HawkTenantAzureADUsers Get-HawkTenantDomainActivity Get-HawkTenantEDiscoveryLog
Dependencies
-
- AzureAD (>= 2.0.2.182)
- ExchangeOnlineManagement (>= 3.0.0)
- Microsoft.Graph.Authentication (>= 1.23.0)
- Microsoft.Graph.Identity.DirectoryManagement (>= 1.23.0)
- PSAppInsights (>= 0.9.6)
- PSFramework (>= 1.12.346)
Release Notes
FileList
- Hawk.nuspec
- internal\functions\Compress-HawkData.ps1
- internal\scriptblocks\scriptblocks.ps1
- changelog.md
- functions\Tenant\Get-HawkTenantEDiscoveryLog.ps1
- internal\functions\Convert-ReportToHTML.ps1
- internal\scripts\license.ps1
- functions\Tenant\Get-HawkTenantEXOAdmins.ps1
- internal\functions\Get-AllUnifiedAuditLogEntry.ps1
- internal\scripts\postimport.ps1
- Hawk.psd1
- functions\Tenant\Get-HawkTenantInboxRules.ps1
- internal\functions\Get-AzureADPSPermissions.ps1
- internal\scripts\preimport.ps1
- Hawk.psm1
- functions\Tenant\Get-HawkTenantMailItemsAccessed.ps1
- internal\functions\Get-IPGeolocation.ps1
- internal\scripts\strings.ps1
- readme.md
- functions\Tenant\Get-HawkTenantRbacChanges.ps1
- internal\functions\Get-SimpleAdminAuditLog.ps1
- internal\scripts\pre_commit_hook_scripts\Invoke-PowerShellScriptAnalyzer.ps1
- Resolving IP Locations
- functions\Tenant\Search-HawkTenantActivityByIP.ps1
- internal\functions\Import-AzureAuthenticationLogs.ps1
- internal\tepp\assignment.ps1
- bin\readme.md
- functions\Tenant\Search-HawkTenantEXOAuditLog.ps1
- internal\functions\Initialize-HawkGlobalObject.ps1
- internal\tepp\example.tepp.ps1
- bin\System.Net.IPNetwork.dll
- functions\Tenant\Start-HawkTenantInvestigation.ps1
- internal\functions\Out-HawkAppData.ps1
- internal\tepp\readme.md
- en-us\about_Hawk.help.txt
- functions\User\Get-HawkUserAdminAudit.ps1
- internal\functions\Out-LogFile.ps1
- tests\pester.ps1
- en-us\strings.psd1
- functions\User\Get-HawkUserAuthHistory.ps1
- internal\functions\Out-MultipleFileType.ps1
- tests\readme.md
- functions\readme.md
- functions\User\Get-HawkUserAutoReply.ps1
- internal\functions\Out-Report.ps1
- tests\functions\readme.md
- functions\General\Show-HawkHelp.ps1
- functions\User\Get-HawkUserConfiguration.ps1
- internal\functions\Read-HawkAppData.ps1
- tests\general\FileIntegrity.Exceptions.ps1
- functions\General\Update-HawkModule.ps1
- functions\User\Get-HawkUserEmailForwarding.ps1
- internal\functions\readme.md
- tests\general\FileIntegrity.Tests.ps1
- functions\Message\Get-HawkMessageHeader.ps1
- functions\User\Get-HawkUserHiddenRule.ps1
- internal\functions\Select-UniqueObject.ps1
- tests\general\Help.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAppAndSPNCredentialDetails.ps1
- functions\User\Get-HawkUserInboxRule.ps1
- internal\functions\Start-SleepWithProgress.ps1
- tests\general\Help.Tests.ps1
- functions\Tenant\Get-HawkTenantAuditLog.ps1
- functions\User\Get-HawkUserMailboxAuditing.ps1
- internal\functions\Test-AzureADConnection.ps1
- tests\general\Manifest.Tests.ps1
- functions\Tenant\Get-HawkTenantAuthHistory.ps1
- functions\User\Get-HawkUserMessageTrace.ps1
- internal\functions\Test-CCOConnection.ps1
- tests\general\strings.Exceptions.ps1
- functions\Tenant\Get-HawkTenantAZAdmins.ps1
- functions\User\Get-HawkUserMobileDevice.ps1
- internal\functions\Test-EXOConnection.ps1
- tests\general\strings.Tests.ps1
- functions\Tenant\Get-HawkTenantAzureADUsers.ps1
- functions\User\Get-HawkUserPWNCheck.ps1
- internal\functions\Test-GraphConnection.ps1
- tests\general\Test-PreCommitHook.ps1
- functions\Tenant\Get-HawkTenantAzureAppAuditLog.ps1
- functions\User\Start-HawkUserInvestigation.ps1
- internal\functions\Test-MicrosoftIP.ps1
- xml\Hawk.Format.ps1xml
- functions\Tenant\Get-HawkTenantConfiguration.ps1
- internal\configurations\configuration.ps1
- internal\functions\Test-RecipientAge.ps1
- xml\Hawk.Types.ps1xml
- functions\Tenant\Get-HawkTenantConsentGrants.ps1
- internal\configurations\PSScriptAnalyzerSettings.psd1
- internal\functions\Test-UserObject.ps1
- xml\readme.md
- functions\Tenant\Get-HawkTenantDomainActivity.ps1
- internal\configurations\readme.md
- functions\Tenant\Get-HawkTenantEDiscoveryConfiguration.ps1
- internal\functions\Add-HawkAppData.ps1
Version History
Version | Downloads | Last updated |
---|---|---|
3.1.2 (current version) | 5,960 | 12/1/2024 |
3.1.0 | 39,476 | 3/30/2023 |
3.0.0 | 4,253 | 4/9/2022 |
2.0.3.2 | 4,596 | 5/7/2021 |
2.0.3.1 | 28 | 5/7/2021 |
2.0.2 | 31 | 5/7/2021 |
2.0.1 | 514 | 3/31/2021 |
2.0.0 | 1,236 | 1/5/2021 |
1.15.1 | 225 | 12/19/2020 |
1.15.0 | 3,415 | 12/19/2019 |
1.14.3 | 52 | 12/18/2019 |
1.14.2 | 366 | 11/13/2019 |
1.14.1 | 27 | 11/13/2019 |
1.14.0 | 461 | 9/25/2019 |
1.13.6 | 308 | 8/29/2019 |
1.13.3 | 61 | 8/26/2019 |
1.13.2 | 76 | 8/22/2019 |
1.13.1 | 54 | 8/21/2019 |
1.13.0 | 58 | 8/20/2019 |
1.12.1 | 30 | 8/20/2019 |
1.12.0 | 27 | 8/20/2019 |
1.10.1 | 412 | 7/9/2019 |
1.9.0 | 27 | 7/9/2019 |
1.8.8 | 29 | 7/9/2019 |
1.8.7 | 366 | 6/14/2019 |
1.8.6 | 342 | 5/24/2019 |
1.8.5 | 34 | 5/23/2019 |
1.8.4 | 59 | 5/21/2019 |
1.8.3 | 70 | 5/16/2019 |
1.8.2 | 29 | 5/16/2019 |
1.8.1 | 47 | 5/14/2019 |
1.8.0 | 30 | 5/14/2019 |
1.7.1 | 364 | 4/23/2019 |
1.6.13 | 177 | 4/12/2019 |
1.6.11 | 75 | 4/3/2019 |
1.6.9 | 535 | 12/13/2018 |
1.6.8 | 25 | 12/13/2018 |
1.6.7 | 33 | 12/12/2018 |
1.6.6 | 29 | 12/12/2018 |
1.6.5 | 30 | 12/12/2018 |
1.6.4 | 27 | 12/11/2018 |
1.6.3 | 84 | 12/10/2018 |
1.6.1 | 198 | 11/13/2018 |
1.6.0 | 29 | 11/13/2018 |
1.5.0 | 72 | 11/8/2018 |
1.4.0 | 82 | 10/30/2018 |
1.3.2 | 160 | 10/1/2018 |
1.3.1 | 31 | 10/1/2018 |
1.2.6 | 52 | 9/27/2018 |
1.2.5 | 29 | 9/27/2018 |
1.2.4 | 103 | 9/6/2018 |
1.2.3 | 203 | 7/19/2018 |
1.2.2 | 108 | 6/29/2018 |
1.2.1 | 46 | 6/26/2018 |
1.2.0 | 32 | 6/25/2018 |
1.1.4 | 344 | 5/18/2018 |