Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Message
Tenant
User
Hawk.psd1
Hawk.psm1
LICENSE
Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll
Microsoft.IdentityModel.Clients.ActiveDirectory.dll
README.md Create README.md Aug 14, 2018
Report.xsl Added support for application insights Nov 13, 2018
Start-RobustCloudCommand.ps1
System.Net.IPNetwork.dll Add files via upload Aug 14, 2018

README.md

hawk

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches

PURPOSE:
===========================================
The Hawk module has been designed to ease the burden on O365 administrators who are performing 
a forensic analysis in their organization.

It does NOT take the place of a human reviewing the data generated and is simply here to make
data gathering easier.

HOW TO USE:
===========================================
Hawk is divided into two primary forms of cmdlets; user based Cmdlets and Tenant based cmdlets.

User based cmdlets take the form Verb-HawkUser<action>.  They all expect a -user switch and 
will retrieve information specific to the user that is specified.  Tenant based cmdlets take
the form Verb-HawkTenant<Action>.  They don't need any switches and will return information
about the whole tenant.

A good starting place is the Start-HawkTenantInvestigation this will run all the tenant based
cmdlets and provide a collection of data to start with.  Once this data has been reviewed
if there are specific user(s) that more information should be gathered on 
Start-HawkUserInvestigation will gather all the User specific information for a single user.

All Hawk cmdlets include help that provides an overview of the data they gather and a listing
of all possible output files.  Run Get-Help <cmdlet> -full to see the full help output for a 
given Hawk cmdlet.

Some of the Hawk cmdlets will flag results that should be further reviewed.  These will appear
in _Investigate files.  These are NOT indicative of unwanted activity but are simply things 
that should reviewed.