Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/T0pCyber/hawk

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
https://github.com/T0pCyber/hawk

azure-active-directory cloud-forensics exchange-online o365 office365 powershell-module

Last synced: 28 days ago
JSON representation

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches

Awesome Lists containing this project

README 

        
# Hawk Documentation and Resources



Visit [hawkforensics.io](https://hawkforensics.io/) for comprehensive documentation including:



- Detailed installation and permissions guides

- Step-by-step tutorials and "How to" videos

- Troubleshooting help

- Best practices and usage examples



# What is Hawk?



Hawk is a free, open-source PowerShell module that streamlines the collection of forensic data from Microsoft cloud environments. Designed primarily for security professionals, incident responders, and administrators, Hawk automates the gathering of critical log data across Microsoft services, with a focus on Microsoft 365 (M365) and Microsoft Entra ID.



## Core Capabilities



- **Data Collection**: Efficiently gather forensic data with automated collection processes

- **Security Analysis**: Examine security configurations, audit logs, and user activities

- **Export & Report**: Generate both CSV reports and JSON data for SIEM integration



## What Hawk is and isn't



While Hawk includes basic analysis capabilities to flag potential items of interest (such as suspicious mail forwarding rules, over-privileged applications, or risky user activities), it is fundamentally a data collection tool rather than an automated threat detection system.



Hawk streamlines data collection compared to manually running individual queries through web interfaces, freeing up those resources for other administrative tasks. The tool's goal is to quickly get you the data needed to come to a conclusion; not to make the conclusion for you.



# Getting Started



## System Requirements



- Windows operating system with administrator access

- PowerShell 5.0 or above (PowerShell Core will be supported in future)

- Network connectivity to:

  - PowerShell Gallery

  - Graph API

  - Microsoft 365 services



## Installation



```powershell

Install-Module -Name Hawk

```



# Investigation Types



Hawk offers two main investigation approaches:



## Tenant Investigations



- Examines broader Microsoft Cloud tenant settings, audit logs, and security configurations

- Provides an excellent starting point for identifying suspicious patterns

- Use `Start-HawkTenantInvestigation` to begin a tenant-wide investigation



## User Investigations



- Performs deep-dive analysis into individual user accounts

- Examines mailbox configurations, inbox rules, and login histories

- Use `Start-HawkUserInvestigation -UserPrincipleName ` to investigate specific users



# Understanding Output



Hawk organizes investigation results into a structured directory hierarchy:



```

📂 [Investigation Root]

├── 📂 Tenant/

│   ├── AdminAuditLogConfig.csv

│   ├── OrgConfig.csv

│   ├── _Investigate_*.csv

│   └── [other tenant files]

├── 📂 [[email protected]]/

│   ├── Mailbox_Info.csv

│   ├── InboxRules.csv

│   ├── _Investigate_*.csv

│   └── [other user files]

└── 📂 [[email protected]]/

    └── [similar structure]

```



Files prefixed with `_Investigate_` contain potentially suspicious findings that warrant further review.



# Contributing



Everyone is welcome to contribute to Hawk. The goal is to maintain a community-led tool that provides security professionals with the resources they need.



## Ways to Contribute



1. **Join the Development Team**: Contact us at [email protected]

2. **Submit Feature Requests**: Use our [feature request template](https://github.com/T0pCyber/hawk/issues/new?template=01_feature_request_form.yml)

3. **Report Issues**: Use our [bug report template](https://github.com/T0pCyber/hawk/issues/new?template=02_bug_report_form.yml)



For critical issues or inquiries, email [email protected].



# Support



- [PowerShell Gallery Package](https://www.powershellgallery.com/packages/HAWK)

- [GitHub Issues](https://github.com/T0pCyber/hawk/issues)

- [GitHub Discussions](https://github.com/T0pCyber/hawk/discussions)

- Email: [email protected]



# **Hawk Telemetry Disclosure**



## **Overview**



Hawk, the open-source PowerShell module, collects limited usage data to help improve the module by identifying the most frequently used features. This data assists in prioritizing updates, enhancements, and new functionality.



## **What Data is Collected?**



✅ **Collected Data:**



- Function names that are run within Hawk.

- Region of use



❌ **Not Collected:**



- No user-identifiable data.

- No script inputs, outputs, or arguments.

- No personal, confidential, or sensitive data.

- No data is shared or sold.



## **Why is This Data Collected?**



The telemetry helps us understand which functions are used most frequently so we can:



- Prioritize updates and improvements.

- Optimize performance for widely used features.

- Make data-driven decisions about future development.



## **How is the Data Used?**



The collected data is strictly used for internal development purposes to enhance the Hawk module. It is never shared, sold, or used for any form of tracking beyond feature usage.