diff --git a/Hawk/Hawk.psd1 b/Hawk/Hawk.psd1 index 9d9c557..2bb98de 100644 --- a/Hawk/Hawk.psd1 +++ b/Hawk/Hawk.psd1 @@ -81,7 +81,7 @@ 'Get-HawkUserMessageTrace', 'Get-HawkUserMobileDevice', 'Get-HawkTenantEntraIDAdmin', - 'Get-HawkTenantEXOAdmins', + 'Get-HawkTenantEXOAdmin', 'Get-HawkTenantMailItemsAccessed', 'Get-HawkTenantAppAndSPNCredentialDetail', 'Get-HawkTenantEntraIDUser', diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 index b22eeb8..8e204d9 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 @@ -167,7 +167,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @( } catch { # Log a warning if the recipient cannot be resolved. - Out-LogFile "Unable to resolve forwarding recipient: $forwardingAddress" -Notice + Out-LogFile "Unable to resolve forwarding recipient: $forwardingAddress" -isError # Add an unresolved entry for transparency in the output. $ForwardingDestinations += [PSCustomObject]@{ UserModified = $targetUser @@ -198,7 +198,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @( } else { # Log a warning if the parsing of audit data fails. - Out-LogFile "Error: Failed to parse forwarding change audit data" -Notice + Out-LogFile "Error: Failed to parse forwarding change audit data" -isError } } else { @@ -209,7 +209,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @( } catch { # Log an error if the analysis encounters an exception. - Out-LogFile "Error analyzing email forwarding changes: $($_.Exception.Message)" -Notice + Out-LogFile "Error analyzing email forwarding changes: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 index 5d3b417..1173af1 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 @@ -105,15 +105,15 @@ Function Get-HawkTenantAdminInboxRuleCreation { } } else { - Out-LogFile "Error: Failed to parse inbox rule audit data" -Notice + Out-LogFile "Error: Failed to parse inbox rule audit data" -isError } } else { - Out-LogFile "No admin inbox rule creation events found in audit logs" + Out-LogFile "No admin inbox rule creation events found in audit logs" -Information } } catch { - Out-LogFile "Error analyzing admin inbox rule creation: $($_.Exception.Message)" -Notice + Out-LogFile "Error analyzing admin inbox rule creation: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 index 74257e8..7e32d0a 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 @@ -66,7 +66,7 @@ Function Get-HawkTenantAdminInboxRuleModification { [array]$ModifiedInboxRules = Get-AllUnifiedAuditLogEntry -UnifiedSearch $searchCommand if ($ModifiedInboxRules.Count -gt 0) { - Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Action + Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Information # Write raw audit data with action flag $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Modification_Raw.json" @@ -108,15 +108,15 @@ Function Get-HawkTenantAdminInboxRuleModification { } } else { - Out-LogFile "Error: Failed to parse inbox rule audit data" -Notice + Out-LogFile "Error: Failed to parse inbox rule audit data" -isError } } else { - Out-LogFile "No inbox rule modifications found in audit logs" + Out-LogFile "No inbox rule modifications found in audit logs" -Information } } catch { - Out-LogFile "Error analyzing admin inbox rule modifications: $($_.Exception.Message)" -Notice + Out-LogFile "Error analyzing admin inbox rule modifications: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 index 4b54332..1ed24b7 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 @@ -107,15 +107,15 @@ Function Get-HawkTenantAdminInboxRuleRemoval { } } else { - Out-LogFile "Error: Failed to parse inbox rule removal audit data" -Notice + Out-LogFile "Error: Failed to parse inbox rule removal audit data" -isError } } else { - Out-LogFile "No inbox rule removals found in audit logs" + Out-LogFile "No inbox rule removals found in audit logs" -Information } } catch { - Out-LogFile "Error analyzing admin inbox rule removals: $($_.Exception.Message)" -Notice + Out-LogFile "Error analyzing admin inbox rule removals: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1 index d56588f..2de5c15 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1 @@ -47,7 +47,7 @@ Function Get-HawkTenantAdminMailboxPermissionChange { [array]$PermissionChanges = Get-AllUnifiedAuditLogEntry -UnifiedSearch $searchCommand if ($PermissionChanges.Count -gt 0) { - Out-LogFile ("Found " + $PermissionChanges.Count + " mailbox permission changes in audit logs") + Out-LogFile ("Found " + $PermissionChanges.Count + " mailbox permission changes in audit logs") -Information # Process and output the results $ParsedChanges = $PermissionChanges | Get-SimpleUnifiedAuditLog @@ -94,15 +94,15 @@ Function Get-HawkTenantAdminMailboxPermissionChange { } } else { - Out-LogFile "Error: Failed to parse mailbox permission audit data" -Notice + Out-LogFile "Error: Failed to parse mailbox permission audit data" -isError } } else { - Out-LogFile "No mailbox permission changes found in audit logs" + Out-LogFile "No mailbox permission changes found in audit logs" -Information } } catch { - Out-LogFile "Error analyzing mailbox permission changes: $($_.Exception.Message)" -Notice + Out-LogFile "Error analyzing mailbox permission changes: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1 index 3fb30c4..bf29009 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1 @@ -40,21 +40,21 @@ $spnResults = @() $appResults = @() - Out-LogFile "Collecting Entra ID Service Principals" + Out-LogFile "Collecting Entra ID Service Principals" -Action try { $spns = Get-MgServicePrincipal -All | Sort-Object -Property DisplayName - Out-LogFile "Collecting Entra ID Registered Applications" + Out-LogFile "Collecting Entra ID Registered Applications" -Action $apps = Get-MgApplication -All | Sort-Object -Property DisplayName } catch { - Out-LogFile "Error retrieving Service Principals or Applications: $($_.Exception.Message)" -Notice + Out-LogFile "Error retrieving Service Principals or Applications: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } PROCESS { try { - Out-LogFile "Exporting Service Principal Certificate and Password details" + Out-LogFile "Exporting Service Principal Certificate and Password details" -Action foreach ($spn in $spns) { # Process key credentials foreach ($key in $spn.KeyCredentials) { @@ -96,7 +96,7 @@ $spnResults | ConvertTo-Json | Out-File -FilePath (Join-Path -Path $tenantPath -ChildPath "SPNCertsAndSecrets.json") } - Out-LogFile "Exporting Registered Applications Certificate and Password details" + Out-LogFile "Exporting Registered Applications Certificate and Password details" -Action foreach ($app in $apps) { # Process key credentials foreach ($key in $app.KeyCredentials) { @@ -139,12 +139,12 @@ } } catch { - Out-LogFile "Error processing credentials: $($_.Exception.Message)" -Notice + Out-LogFile "Error processing credentials: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } END { - Out-Logfile "Completed exporting Azure AD Service Principal and App Registration Certificate and Password Details" + Out-Logfile "Completed exporting Azure AD Service Principal and App Registration Certificate and Password Details" -Information } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1 index 7049459..11273cf 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1 @@ -26,7 +26,7 @@ BEGIN{ if ([string]::IsNullOrEmpty($Hawk.FilePath)) { Initialize-HawkGlobalObject } - Out-LogFile "Gathering Azure AD Audit Logs events" + Out-LogFile "Gathering Azure AD Audit Logs events" -Action } PROCESS{ $auditLogsResponse = Get-MgAuditLogDirectoryAudit -All @@ -47,6 +47,6 @@ PROCESS{ } END{ $auditLogs | Sort-Object -Property ActivityDateTime | Out-MultipleFileType -FilePrefix "AzureADAuditLog" -csv -json - Out-Logfile "Completed exporting Azure AD audit logs" + Out-Logfile "Completed exporting Azure AD audit logs" -Information } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1 index f999d72..9d195fd 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1 @@ -38,7 +38,7 @@ # Make sure the start date isn't more than 90 days in the past if ((Get-Date).adddays(-91) -gt $StartDate) { - Out-Logfile "[ERROR] - Start date is over 90 days in the past" + Out-Logfile "Start date is over 90 days in the past" -isError break } @@ -64,7 +64,7 @@ # See if we have results if so push to csv file if ($null -eq $output) { - Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd) + Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd) -Information } else { $output | Out-MultipleFileType -FilePrefix "Audit_Log_Full_$prefix" -Append -csv -json diff --git a/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1 index d584f72..c68d08a 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1 @@ -33,7 +33,7 @@ PROCESS{ $AzureApplicationActivityEvents = $null Out-LogFile "Searching Unified Audit Logs Azure Activities" -Action -Out-LogFile "Searching for Application Activities" +Out-LogFile "Searching for Application Activities" -Action # Search the unified audit log for events related to application activity # https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants @@ -41,7 +41,7 @@ $AzureApplicationActivityEvents = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("S # If null we found no changes to nothing to do here if ($null -eq $AzureApplicationActivityEvents){ - Out-LogFile "No Application related events found in the search time frame." + Out-LogFile "No Application related events found in the search time frame." -Information } # If not null then we must have found some events so flag them diff --git a/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1 b/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1 index 65eb741..a312581 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1 @@ -64,18 +64,18 @@ #Check Audit Log Config Setting and make sure it is enabled Out-LogFile "Gathering Tenant Configuration Information" -action - Out-LogFile "Admin Audit Log" + Out-LogFile "Gathering Admin Audit Log" -action Get-AdminAuditLogConfig | Out-MultipleFileType -FilePrefix "AdminAuditLogConfig" -txt -xml - Out-LogFile "Organization Configuration" + Out-LogFile "Gathering Organization Configuration" -action Get-OrganizationConfig| Out-MultipleFileType -FilePrefix "OrgConfig" -xml -txt - Out-LogFile "Remote Domains" + Out-LogFile "Gathering Remote Domains" -action Get-RemoteDomain | Out-MultipleFileType -FilePrefix "RemoteDomain" -xml -csv -json - Out-LogFile "Transport Rules" + Out-LogFile "Gathering Transport Rules" -action Get-TransportRule | Out-MultipleFileType -FilePrefix "TransportRules" -xml -csv -json - Out-LogFile "Transport Configuration" + Out-LogFile "Gathering Transport Configuration" -action Get-TransportConfig | Out-MultipleFileType -FilePrefix "TransportConfig" -xml -csv -json } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 b/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 index c7b3613..5e5e682 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 @@ -25,7 +25,7 @@ [CmdletBinding()] param() - Out-LogFile "Gathering OAuth / Application Grants" + Out-LogFile "Gathering OAuth / Application Grants" -Action Test-GraphConnection @@ -44,12 +44,12 @@ } if ($flag) { - Out-LogFile 'Review the information at the following link to understand these results' -notice - Out-LogFile 'https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants' -notice + Out-LogFile 'Review the information at the following link to understand these results' -Information + Out-LogFile 'https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants' -Information } else { - Out-LogFile "To review this data follow:" - Out-LogFile "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants" + Out-LogFile "To review this data follow:" -Information + Out-LogFile "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants" -Information } $Grants | Out-MultipleFileType -FilePrefix "Consent_Grants" -csv -json diff --git a/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1 b/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1 index 4c455b5..e512b61 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1 @@ -36,7 +36,7 @@ Function Get-HawkTenantDomainActivity { $DomainConfigurationEvents = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Set-AcceptedDomain','Add-FederatedDomain','Update Domain','Add verified domain', 'Add unverified domain', 'remove unverified domain'") # If null we found no changes to nothing to do here if ($null -eq $DomainConfigurationEvents){ - Out-LogFile "No Domain configuration changes found." + Out-LogFile "No Domain configuration changes found." -Information } # If not null then we must have found some events so flag them else{ @@ -79,6 +79,6 @@ Function Get-HawkTenantDomainActivity { } } END{ - Out-LogFile "Completed gathering Domain configuration changes" + Out-LogFile "Completed gathering Domain configuration changes" -Information } }#End Function Get-HawkTenantDomainActivity diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 index 978fa31..fb601e8 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 @@ -50,7 +50,7 @@ $eDiscoveryLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'Discovery'") # If null we found no changes to nothing to do here if ($null -eq $eDiscoveryLogs) { - Out-LogFile "No eDiscovery Logs found" + Out-LogFile "No eDiscovery Logs found" -Information } # If not null then we must have found some events so flag them diff --git a/Hawk/functions/Tenant/Get-HawkTenantEXOAdmins.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEXOAdmin.ps1 similarity index 89% rename from Hawk/functions/Tenant/Get-HawkTenantEXOAdmins.ps1 rename to Hawk/functions/Tenant/Get-HawkTenantEXOAdmin.ps1 index 9d35dfd..6cd04ca 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantEXOAdmins.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantEXOAdmin.ps1 @@ -1,4 +1,4 @@ -Function Get-HawkTenantEXOAdmins{ +Function Get-HawkTenantEXOAdmin{ <# .SYNOPSIS Exchange Online Administrator export. Must be connected to Exchange Online using the Connect-EXO cmdlet @@ -14,7 +14,7 @@ .NOTES #> BEGIN{ - Out-LogFile "Gathering Exchange Online Administrators" + Out-LogFile "Gathering Exchange Online Administrators" -Action Test-EXOConnection Send-AIEvent -Event "CmdRun" @@ -43,7 +43,7 @@ PROCESS{ } END{ - Out-Logfile "Completed exporting Exchange Online Admins" + Out-Logfile "Completed exporting Exchange Online Admins" -Information } }#End Function diff --git a/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1 index 8cb7735..b1f32a8 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1 @@ -24,7 +24,7 @@ if ([string]::IsNullOrEmpty($Hawk.FilePath)) { Initialize-HawkGlobalObject } - Out-LogFile "Gathering Microsoft Entra ID Administrators" + Out-LogFile "Gathering Microsoft Entra ID Administrators" -Action # Verify Graph API connection Test-GraphConnection @@ -79,20 +79,20 @@ # Export results if any roles were found if ($roles) { $roles | Out-MultipleFileType -FilePrefix "EntraIDAdministrators" -csv -json - Out-LogFile "Successfully exported Microsoft Entra ID Administrators data" + Out-LogFile "Successfully exported Microsoft Entra ID Administrators data" -Information } else { - Out-LogFile "No administrator roles found or accessible" -notice + Out-LogFile "No administrator roles found or accessible" -Information } } catch { # Handle and log any errors during execution - Out-LogFile "Error retrieving Microsoft Entra ID Administrators: $($_.Exception.Message)" -notice + Out-LogFile "Error retrieving Microsoft Entra ID Administrators: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } END { - Out-LogFile "Completed exporting Microsoft Entra ID Admins" + Out-LogFile "Completed exporting Microsoft Entra ID Admins" -Information } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1 index d10d0c7..23694c9 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1 @@ -24,7 +24,7 @@ if ([string]::IsNullOrEmpty($Hawk.FilePath)) { Initialize-HawkGlobalObject } - Out-LogFile "Gathering Entra ID Users" + Out-LogFile "Gathering Entra ID Users" -Action # Ensure we have a valid Graph connection Test-GraphConnection @@ -56,10 +56,10 @@ Out-MultipleFileType -FilePrefix "EntraIDUsers" -csv -json } else { - Out-LogFile "No users found" + Out-LogFile "No users found" -Information } } END { - Out-Logfile "Completed exporting Entra ID users" + Out-Logfile "Completed exporting Entra ID users" -Information } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1 b/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1 index 67837e7..b9ff844 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1 @@ -69,7 +69,7 @@ # If yes log and continue # If no log error and exit switch ($result) { - 0 { Out-LogFile "Starting full Tenant Search" } + 0 { Out-LogFile "Starting full Tenant Search" -Action} 1 { Write-Error -Message "User Stopped Cmdlet" -ErrorAction Stop } } @@ -77,7 +77,7 @@ $exopssession = get-pssession | Where-Object { ($_.ConfigurationName -eq 'Microsoft.Exchange') -and ($_.State -eq 'Opened') } # Gather all of the mailboxes - Out-LogFile "Getting all Mailboxes" + Out-LogFile "Getting all Mailboxes" -Action # If we don't have a value for csvpath then gather all users in the tenant if ([string]::IsNullOrEmpty($CSVPath)) { @@ -95,18 +95,32 @@ } # Report how many mailboxes we are going to operate on - Out-LogFile ("Found " + $AllMailboxes.count + " Mailboxes") + Out-LogFile ("Found " + $AllMailboxes.count + " Mailboxes") -Information # Path for robust log file - $RobustLog = Join-path $Hawk.FilePath "Robust.log" + # $RobustLog = Join-path $Hawk.FilePath "Robust.log" # Build the command we are going to need to run with Start-RobustCloudCommand - $cmd = "Start-RobustCloudCommand -UserPrincipalName " + $UserPrincipalName + " -logfile `$RobustLog -recipients `$AllMailboxes -scriptblock {Get-HawkUserInboxRule -UserPrincipalName `$input.PrimarySmtpAddress.tostring()}" + # $cmd = "Start-RobustCloudCommand -UserPrincipalName " + $UserPrincipalName + " -logfile `$RobustLog -recipients `$AllMailboxes -scriptblock {Get-HawkUserInboxRule -UserPrincipalName `$input.PrimarySmtpAddress.tostring()}" + $AllMailboxes | ForEach-Object { + Start-RobustCloudCommand -UserPrincipalName $UserPrincipalName -LogFile $RobustLog -Recipients $_ -ScriptBlock { + Get-HawkUserInboxRule -UserPrincipalName $_.PrimarySmtpAddress + } + } + + # Invoke our Start-Robust command to get all of the inbox rules - Out-LogFile "===== Starting Robust Cloud Command to gather user inbox rules for all tenant users =====" - Out-LogFile $cmd - Invoke-Expression $cmd + Out-LogFile "===== Starting Robust Cloud Command to gather user inbox rules for all tenant users =====" -Action + # Out-LogFile $cmd + # Invoke-Expression $cmd + + # Build the command directly without using Invoke-Expression + $AllMailboxes | ForEach-Object { + Start-RobustCloudCommand -UserPrincipalName $UserPrincipalName -LogFile $RobustLog -Recipients $_ -ScriptBlock { + Get-HawkUserInboxRule -UserPrincipalName $_.PrimarySmtpAddress + } + } - Out-LogFile "Process Complete" + Out-LogFile "Process Complete" -Information } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1 b/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1 index 16ed012..4ce4025 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1 @@ -33,7 +33,7 @@ ) BEGIN { - Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'" + Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'" -Action }#End Begin @@ -45,7 +45,7 @@ PROCESS{ END{ - Out-Logfile "Completed exporting MailItemsAccessed logs" + Out-Logfile "Completed exporting MailItemsAccessed logs" -Information }#End End diff --git a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 index e191b59..cfbb336 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 @@ -79,14 +79,14 @@ $searchCommand = "Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations " + "'$($RBACOperations -join "','")'" - Out-LogFile "Searching for RBAC changes using Unified Audit Log..." + Out-LogFile "Searching for RBAC changes using Unified Audit Log." -Action # Get all RBAC changes using Get-AllUnifiedAuditLogEntry [array]$RBACChanges = Get-AllUnifiedAuditLogEntry -UnifiedSearch $searchCommand # Process results if any found if ($RBACChanges.Count -gt 0) { - Out-LogFile ("Found " + $RBACChanges.Count + " changes made to Roles-Based Access Control") + Out-LogFile ("Found " + $RBACChanges.Count + " changes made to Roles-Based Access Control") -Information # Write raw audit data JSON for reference $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "RBAC_Changes_Raw.json" @@ -104,15 +104,15 @@ $RBACChanges | Out-MultipleFileType -FilePrefix "RBAC_Changes" -csv -json } else { - Out-LogFile "Error: Failed to parse RBAC changes" -Notice + Out-LogFile "Error: Failed to parse RBAC changes" -isError } } else { - Out-LogFile "No RBAC changes found." + Out-LogFile "No RBAC changes found." -Information } } catch { - Out-LogFile "Error searching for RBAC changes: $($_.Exception.Message)" -Notice + Out-LogFile "Error searching for RBAC changes: $($_.Exception.Message)" -isError Write-Error -ErrorRecord $_ -ErrorAction Continue } } \ No newline at end of file diff --git a/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1 b/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1 index 6a9ac3f..7625933 100644 --- a/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1 +++ b/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1 @@ -52,7 +52,7 @@ # Make sure we got only a single IP address if ($IpAddress -like "*,*") { - Out-LogFile "Please provide a single IP address to search." + Out-LogFile "Please provide a single IP address to search." -Information Write-Error -Message "Please provide a single IP address to search." -ErrorAction Stop } @@ -63,7 +63,7 @@ # If we didn't get anything back log it if ($null -eq $ipevents) { - Out-LogFile ("No IP logon events found for IP " + $IpAddress) + Out-LogFile ("No IP logon events found for IP " + $IpAddress) -Information } # If we did then process it @@ -71,12 +71,12 @@ # Expand out the Data and convert from JSON [array]$ipeventsexpanded = $ipevents | Select-object -ExpandProperty AuditData | ConvertFrom-Json - Out-LogFile ("Found " + $ipeventsexpanded.count + " related to provided IP" ) + Out-LogFile ("Found " + $ipeventsexpanded.count + " related to provided IP" ) -Information $ipeventsexpanded | Out-MultipleFileType -FilePrefix "All_Events" -csv -json -User $DirectoryName # Get the logon events that were a success [array]$successipevents = $ipeventsexpanded | Where-Object { $_.ResultStatus -eq "success" } - Out-LogFile ("Found " + $successipevents.Count + " Successful logons related to provided IP") + Out-LogFile ("Found " + $successipevents.Count + " Successful logons related to provided IP") -Information $successipevents | Out-MultipleFileType -FilePrefix "Success_Events" -csv -json -User $DirectoryName # Select all unique users accessed by this IP diff --git a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 index 3577944..4b8e36b 100644 --- a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 +++ b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 @@ -98,8 +98,8 @@ # } # if ($PSCmdlet.ShouldProcess("Exchange Admins", "Get Exchange admin list")) { - # Out-LogFile "Running Get-HawkTenantEXOAdmins" -action - # Get-HawkTenantEXOAdmins + # Out-LogFile "Running Get-HawkTenantEXOAdmin" -action + # Get-HawkTenantEXOAdmin # } # if ($PSCmdlet.ShouldProcess("Consent Grants", "Get consent grants")) {