Osprey
1.0.1
Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
Osprey is designed to ease the burden on M365 administrators who are performing Cloud forensic tasks for their organization.
It accelerates the gathering of data from multiple sources in the service that be used to quickly identify malicious presence and activity.
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
Copyright (c) 2024 Damien Miller-McAndrews
Package Details
Author(s)
- Damien Miller-McAndrews
Tags
O365 Security Audit Breach Investigation Exchange Forensics M365 Incident_Response HAWK BEC Business_Email_Compromise
Functions
Show-OspreyHelp Start-Osprey Update-OspreyModule Get-OspreyMessageHeader Get-OspreyTenantConfiguration Get-OspreyTenantDomainActivity Get-OspreyTenantEDiscoveryConfiguration Get-OspreyTenantEDiscoveryLogs Get-OspreyTenantEntraAdmins Get-OspreyTenantEntraUsers Get-OspreyTenantExchangeAdmins Get-OspreyTenantExchangeLogs Start-OspreyTenantInvestigation Get-OspreyTenantAppAndSPNCredentialDetails Get-OspreyTenantAuthHistory Get-OspreyTenantInboxRules Get-OspreyTenantMailItemsAccessed Search-OspreyTenantActivityByIP Get-OspreyUserAuthHistory Get-OspreyUserAutoReply Get-OspreyUserConfiguration Get-OspreyUserDevices Get-OspreyUserEmailActivity Get-OspreyUserEmailForwarding Get-OspreyUserInboxRule Get-OspreyUserMessageTrace Get-OspreyUserPWNCheck Start-OspreyUserInvestigation Get-OspreyUserFileAccess
Dependencies
-
- ExchangeOnlineManagement (>= 3.4.0)
- Microsoft.Graph.Applications (>= 2.19.0)
- Microsoft.Graph.Authentication (>= 2.19.0)
- Microsoft.Graph.Identity.DirectoryManagement (>= 2.19.0)
- Microsoft.Graph.Users (>= 2.19.0)
- PSAppInsights (>= 0.9.6)
- PSFramework (>= 1.9.310)
Release Notes
## 1.0.1 (2024-08-16)
- Moved IP lookup API back to IPStack, intention is to eventually allow choice between a few different options.
- Added function Get-OspreyUserFileAccess to get file access and sharing records, and flag suspicious access and anonymous sharing.
- Updated Test-GraphConnection and added to functions it was missing from.
## 1.0.0 (2024-08-15)
- Forked Hawk module, renamed to Osprey.
- Removed JSON and XML export details from appearing in console output.
- Moved JSON output to specific folder.
- Added Start-Osprey function to remove need to connect to EXO and Graph ahead of time, allow for changing investigation parameters or tenant without exiting PowerShell.
- Temporarily deprecated Get-OspreyTenantAppAndSPNCredentialDetails.
- Merged Get-OspreyTenantAzureAppAuditLog and Get-OspreyTenantConsentGrants into one function called Get-OspreyTenantAppsAndConsents.
- Added function to pull list of known suspicious Azure applications from GitHub and flag if any exist in tenant.
- Migrated remaining functions that required deprecated Search-AdminAuditLog command to use output from the UAL, where possible.
- Replaced Azure with Entra, where applicable.
- Added ability for Get-OspreyTenantEntraUsers to get a list of all users created during the investigation period.
- Updated suspicious inbox rule flag to look for rules where emails are redirected into certain known-suspicious folders, or are deleted.
- Moved RBAC obtaining function to Get-ospreyTenantExchangeLogs.
- Moved IPStack API to free alternative temporarily.
- Deprecated Get-OspreyUserAdminAudit as no suitable way to properly migrate to UAL was found.
- Fixed Get-OspreyUserMessageTrace to get 10 days of email instead of 2
- Renamed Get-OspreyUserMobileDevices to Get-OspreyUserDevices and added ability to get Entra joined/registered devices and flag any recently added.
- Attempted to fix Get-OspreyUserEmailActivity. It sort of works but outputs into different CSVs for each activity.
- Moved majority of outputs that did appending into PSCustomObjects to reduce console output noise.
- Removed Get-OspreyUserHiddenRule as -Hidden flag is available in normal Get-InboxRule command.
- Updated Premium license detection to add additional SKUs
- Removed Known Microsoft IP check due to issues, will bring it back eventually.
FileList
- Osprey.nuspec
- internal\functions\readme.md
- internal\scripts\license.ps1
- tests\functions\readme.md
- tests\general\PSScriptAnalyzer.Tests.ps1
- changelog.md
- en-us\strings.psd1
- functions\Tenant\Get-OspreyTenantConfiguration.ps1
- functions\Tenant\Get-OspreyTenantExchangeLogs.ps1
- functions\User\Get-OspreyUserAuthHistory.ps1
- functions\User\Get-OspreyUserInboxRule.ps1
- internal\functions\Add-OspreyAppData.ps1
- internal\functions\Get-IPGeolocationIPWhois.ps1
- internal\functions\Select-UniqueObject.ps1
- internal\scripts\postimport.ps1
- tests\general\FileIntegrity.Exceptions.ps1
- tests\general\strings.Exceptions.ps1
- functions\readme.md
- functions\Tenant\Get-OspreyTenantDomainActivity.ps1
- functions\Tenant\Get-OspreyTenantInboxRules.ps1
- functions\User\Get-OspreyUserAutoReply.ps1
- functions\User\Get-OspreyUserMessageTrace.ps1
- internal\functions\Compress-OspreyData.ps1
- internal\functions\Import-AzureAuthenticationLogs.ps1
- internal\functions\Test-EXOConnection.ps1
- internal\scripts\preimport.ps1
- tests\general\FileIntegrity.Tests.ps1
- tests\general\strings.Tests.ps1
- Osprey.psd1
- functions\General\Show-OspreyHelp.ps1
- functions\Tenant\Get-OspreyTenantEDiscoveryConfiguration.ps1
- functions\Tenant\Search-OspreyTenantActivityByIP.ps1
- functions\User\Get-OspreyUserConfiguration.ps1
- functions\User\Get-OspreyUserPWNCheck.ps1
- internal\functions\Connect-Prerequisites.ps1
- internal\functions\Out-LogFile.ps1
- internal\functions\Test-GraphConnection.ps1
- internal\scripts\strings.ps1
- tests\general\Help.Exceptions.ps1
- xml\Osprey.Format.ps1xml
- Osprey.psm1
- functions\General\Start-Osprey.ps1
- functions\Tenant\Get-OspreyTenantEDiscoveryLogs.ps1
- functions\Tenant\Start-OspreyTenantInvestigation.ps1
- functions\User\Get-OspreyUserDevices.ps1
- functions\User\Start-OspreyUserInvestigation.ps1
- internal\functions\Convert-ReportToHTML.ps1
- internal\functions\Out-MultipleFileType.ps1
- internal\functions\Test-MicrosoftIP.ps1
- tests\pester.ps1
- tests\general\Help.Tests.ps1
- xml\Osprey.Types.ps1xml
- readme.md
- functions\General\Update-OspreyModule.ps1
- functions\Tenant\Get-OspreyTenantEntraAdmins.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantAppAndSPNCredentialDetails.ps1
- functions\User\Get-OspreyUserEmailActivity.ps1
- functions\User\Unused\Get-OspreyUserAdminAudit.ps1
- internal\functions\Get-AllUnifiedAuditLogEntry.ps1
- internal\functions\Out-OspreyAppData.ps1
- internal\functions\Test-RecipientAge.ps1
- tests\readme.md
- tests\general\Manifest.Tests.ps1
- xml\readme.md
- bin\System.Net.IPNetwork.dll
- functions\Message\Get-OspreyMessageHeader.ps1
- functions\Tenant\Get-OspreyTenantEntraUsers.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantAuthHistory.ps1
- functions\User\Get-OspreyUserEmailForwarding.ps1
- internal\configurations\configuration.ps1
- internal\functions\Get-AzureADPSPermissions.ps1
- internal\functions\Out-Report.ps1
- internal\functions\Test-UserObject.ps1
- en-us\about_Osprey.help.txt
- functions\Tenant\Get-OspreyTenantAppsAndConsents.ps1
- functions\Tenant\Get-OspreyTenantExchangeAdmins.ps1
- functions\Tenant\Unused\Temporary_To_Fix\Get-OspreyTenantMailItemsAccessed.ps1
- functions\User\Get-OspreyUserFileAccess.ps1
- internal\configurations\readme.md
- internal\functions\Get-IPGeolocationIPStack.ps1
- internal\functions\Read-OspreyAppData.ps1
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 1.0.3 | 14 | 10/5/2024 |
| 1.0.2 | 29 | 9/2/2024 |
| 1.0.1 (current version) | 20 | 8/16/2024 |