Osprey
1.0.3
Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
Osprey is designed to ease the burden on M365 administrators who are performing Cloud forensic tasks for their organization.
It accelerates the gathering of data from multiple sources in the service that be used to quickly identify malicious presence and activity.
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
Copyright (c) 2024 Damien Miller-McAndrews
Package Details
Author(s)
- Damien Miller-McAndrews
Tags
O365 Security Audit Breach Investigation Exchange Forensics M365 Incident_Response HAWK BEC Business_Email_Compromise
Functions
Show-OspreyHelp Start-Osprey Update-OspreyModule Get-OspreyMessageHeader Start-OspreyTenantInvestigation Get-OspreyTenantConfiguration Get-OspreyTenantEDiscoveryDetails Get-OspreyTenantExchangeLogs Get-OspreyTenantDomainActivity Get-OspreyTenantAppsAndConsents Get-OspreyTenantLinkUsage Get-OspreyTenantAdmins Get-OspreyTenantEntraUsers Get-OspreyTenantInboxRules Search-OspreyTenantActivityByIP Start-OspreyUserInvestigation Get-OspreyUserConfiguration Get-OspreyUserInboxRule Get-OspreyUserAuthHistory Get-OspreyUserEmailActivity Get-OspreyUserMessageTrace Get-OspreyUserDevices Get-OspreyUserFileAccess Get-OspreyUserPWNCheck
Dependencies
-
- ExchangeOnlineManagement (>= 3.4.0)
- Microsoft.Graph.Applications (>= 2.19.0)
- Microsoft.Graph.Authentication (>= 2.19.0)
- Microsoft.Graph.Identity.DirectoryManagement (>= 2.19.0)
- Microsoft.Graph.Users (>= 2.19.0)
- PSFramework (>= 1.9.310)
Release Notes
## 1.0.3 (2024-10-06)
- EULA now only prompts once per Osprey install.
- SkipUpdate flag now actually works.
- Added validation to ensure correct version of EXO PowerShell is installed to bypass errors related to EXO and Graph and Azure.Core.dll.
- Moved suspicious inbox rule detection to it's own function, added additional criteria to flag.
- Combined Tenant eDiscovery functions into one function.
- Combined Entra and Exchange admin functions into one function.
- Added sharing link usage and check for suspicious file access to tenant investigation.
## 1.0.2 (2024-08-20)
- Removed PSAppInsights dependencies and features
- Fixed various bugs found during public testing.
- Removed hidden OOF inbox rule from inbox rule export.
- Transport rules created during investigation period will now flag.
## 1.0.1 (2024-08-16)
- Moved IP lookup API back to IPStack, intention is to eventually allow choice between a few different options.
- Added function Get-OspreyUserFileAccess to get file access and sharing records, and flag suspicious access and anonymous sharing.
- Updated Test-GraphConnection and added to functions it was missing from.
## 1.0.0 (2024-08-15)
- Forked Hawk module, renamed to Osprey.
- Removed JSON and XML export details from appearing in console output.
- Moved JSON output to specific folder.
- Added Start-Osprey function to remove need to connect to EXO and Graph ahead of time, allow for changing investigation parameters or tenant without exiting PowerShell.
- Temporarily deprecated Get-OspreyTenantAppAndSPNCredentialDetails.
- Merged Get-OspreyTenantAzureAppAuditLog and Get-OspreyTenantConsentGrants into one function called Get-OspreyTenantAppsAndConsents.
- Added function to pull list of known suspicious Azure applications from GitHub and flag if any exist in tenant.
- Migrated remaining functions that required deprecated Search-AdminAuditLog command to use output from the UAL, where possible.
- Replaced Azure with Entra, where applicable.
- Added ability for Get-OspreyTenantEntraUsers to get a list of all users created during the investigation period.
- Updated suspicious inbox rule flag to look for rules where emails are redirected into certain known-suspicious folders, or are deleted.
- Moved RBAC obtaining function to Get-ospreyTenantExchangeLogs.
- Moved IPStack API to free alternative temporarily.
- Deprecated Get-OspreyUserAdminAudit as no suitable way to properly migrate to UAL was found.
- Fixed Get-OspreyUserMessageTrace to get 10 days of email instead of 2
- Renamed Get-OspreyUserMobileDevices to Get-OspreyUserDevices and added ability to get Entra joined/registered devices and flag any recently added.
- Attempted to fix Get-OspreyUserEmailActivity. It sort of works but outputs into different CSVs for each activity.
- Moved majority of outputs that did appending into PSCustomObjects to reduce console output noise.
- Removed Get-OspreyUserHiddenRule as -Hidden flag is available in normal Get-InboxRule command.
- Updated Premium license detection to add additional SKUs
- Removed Known Microsoft IP check due to issues, will bring it back eventually.
FileList
- Osprey.nuspec
- tests\general\Manifest.Tests.ps1
- changelog.md
- functions\readme.md
- functions\Tenant\Get-OspreyTenantConfiguration.ps1
- functions\Tenant\Search-OspreyTenantActivityByIP.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantAuthHistory.ps1
- functions\User\Get-OspreyUserInboxRule.ps1
- internal\configurations\configuration.ps1
- internal\functions\Get-AllUnifiedAuditLogEntry.ps1
- internal\functions\Out-OspreyAppData.ps1
- internal\functions\Test-MicrosoftIP.ps1
- tests\pester.ps1
- tests\general\PSScriptAnalyzer.Tests.ps1
- functions\General\Show-OspreyHelp.ps1
- functions\Tenant\Get-OspreyTenantDomainActivity.ps1
- functions\Tenant\Start-OspreyTenantInvestigation.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantMailItemsAccessed.ps1
- functions\User\Get-OspreyUserMessageTrace.ps1
- internal\configurations\readme.md
- internal\functions\Get-AzureADPSPermissions.ps1
- internal\functions\Out-Report.ps1
- internal\functions\Test-RecipientAge.ps1
- tests\readme.md
- tests\general\strings.Exceptions.ps1
- Osprey.psd1
- functions\General\Start-Osprey.ps1
- functions\Tenant\Get-OspreyTenantEDiscoveryDetails.ps1
- functions\Tenant\Unused\Get-OspreyTenantEDiscoveryConfiguration.ps1
- functions\User\Get-OspreyUserAuthHistory.ps1
- functions\User\Get-OspreyUserPWNCheck.ps1
- internal\functions\Add-OspreyAppData.ps1
- internal\functions\Get-IPGeolocationIPStack.ps1
- internal\functions\Read-OspreyAppData.ps1
- internal\functions\Test-UserObject.ps1
- tests\functions\readme.md
- tests\general\strings.Tests.ps1
- Osprey.psm1
- functions\General\Update-OspreyModule.ps1
- functions\Tenant\Get-OspreyTenantEntraUsers.ps1
- functions\Tenant\Unused\Get-OspreyTenantEDiscoveryLogs.ps1
- functions\User\Get-OspreyUserConfiguration.ps1
- functions\User\Start-OspreyUserInvestigation.ps1
- internal\functions\Compare-SusInboxRule.ps1
- internal\functions\Get-IPGeolocationIPWhois.ps1
- internal\functions\readme.md
- internal\scripts\license.ps1
- tests\general\FileIntegrity.Exceptions.ps1
- xml\Osprey.Format.ps1xml
- readme.md
- functions\Message\Get-OspreyMessageHeader.ps1
- functions\Tenant\Get-OspreyTenantExchangeLogs.ps1
- functions\Tenant\Unused\Get-OspreyTenantEntraAdmins.ps1
- functions\User\Get-OspreyUserDevices.ps1
- functions\User\Unused\Get-OspreyUserAdminAudit.ps1
- internal\functions\Compress-OspreyData.ps1
- internal\functions\Import-AzureAuthenticationLogs.ps1
- internal\functions\Select-UniqueObject.ps1
- internal\scripts\postimport.ps1
- tests\general\FileIntegrity.Tests.ps1
- xml\Osprey.Types.ps1xml
- bin\System.Net.IPNetwork.dll
- functions\Tenant\Get-OspreyTenantAdmins.ps1
- functions\Tenant\Get-OspreyTenantInboxRules.ps1
- functions\Tenant\Unused\Get-OspreyTenantExchangeAdmins.ps1
- functions\User\Get-OspreyUserEmailActivity.ps1
- functions\User\Unused\Get-OspreyUserAutoReply.ps1
- internal\functions\Connect-Prerequisites.ps1
- internal\functions\Out-LogFile.ps1
- internal\functions\Test-EXOConnection.ps1
- internal\scripts\preimport.ps1
- tests\general\Help.Exceptions.ps1
- xml\readme.md
- en-us\about_Osprey.help.txt
- functions\Tenant\Get-OspreyTenantAppsAndConsents.ps1
- functions\Tenant\Get-OspreyTenantLinkUsage.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantAppAndSPNCredentialDetails.ps1
- functions\User\Get-OspreyUserFileAccess.ps1
- functions\User\Unused\Get-OspreyUserEmailForwarding.ps1
- internal\functions\Convert-ReportToHTML.ps1
- internal\functions\Out-MultipleFileType.ps1
- internal\functions\Test-GraphConnection.ps1
- internal\scripts\strings.ps1
- tests\general\Help.Tests.ps1
- en-us\strings.psd1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 1.0.3 (current version) | 14 | 10/5/2024 |
| 1.0.2 | 29 | 9/2/2024 |
| 1.0.1 | 20 | 8/16/2024 |