Merge pull request #221 from T0pCyber/bugfix/150-bug-update-get-hawkt…

…enantediscoveryconfigurationps1-to-use-modern-ediscovery-cmdlets

Bugfix/150 bug update get hawktenantediscoveryconfigurationps1 to use modern ediscovery cmdlets

Hawk/Hawk.psd1

@@ -81,7 +81,7 @@
 	'Get-HawkUserMessageTrace',
 	'Get-HawkUserMobileDevice',
 	'Get-HawkTenantEntraIDAdmin',
-	'Get-HawkTenantEXOAdmins',
+	'Get-HawkTenantEXOAdmin',
 	'Get-HawkTenantMailItemsAccessed',
 	'Get-HawkTenantAppAndSPNCredentialDetail',
 	'Get-HawkTenantEntraIDUser',
@@ -113,7 +113,7 @@
 			Tags         = @("O365", "Security", "Audit", "Breach", "Investigation", "Exchange", "EXO", "Compliance", "Logon", "M365", "Incident-Response", "Solarigate")
 
 			# A URL to the license for this module.
-			LicenseUri   = 'https://github.com/T0pCyber/Hawk/LICENSE'
+			LicenseUri   = 'https://github.com/T0pCyber/hawk/blob/master/LICENSE'
 
 			# A URL to the main website for this project.
 			ProjectUri   = 'https://github.com/T0pCyber/Hawk'

Hawk/changelog.md

@@ -60,7 +60,7 @@
 - Removed Robust Cloud Command from build as it was not being used in the code base anymore
 - Updated PowerShell API key in GitHub to fix build.yml issue where the Hawk would not publish to gallery on merge to main
 
-## 3.2.3 (2024-12-20)
+## 3.2.3 (2025-1-07)
 
 - Replaced all AzureAD functionality with Microsoft Graph commands.
 - Updated Get-HawkTenantAZAdmins to use Microsoft Graph.
@@ -78,3 +78,7 @@
 - Removed ability to detect RBAC Application Impersonation as this is being deprecated / removed in FEB 2025.
 - Updated Out-Log file, adding -Information parameter for tagging prompts with INFO for status updates.
 - Updated Out-Log file, modifying -Notice parameter for tagging prompts with INVESTIGATE in brackets instead of asterisks, for uniformity purposes.
+- Fixed critical lack of avian artwork in startup sequence by adding ASCII welcome banner.
+- Updated all post Global Hawk Variable Initialized code to use prompt tagging.
+- Modified Out-MultipleFileType to not output "appending to file" to STDOUT repetitively.
+- Updated Get-HawkTenantEDiscoveryConfiguration to use non-deprecated means of collecting / analyzing eDiscovery role assignments.

Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1

@@ -167,7 +167,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @(
                             }
                             catch {
                                 # Log a warning if the recipient cannot be resolved.
-                                Out-LogFile "Unable to resolve forwarding recipient: $forwardingAddress" -Notice
+                                Out-LogFile "Unable to resolve forwarding recipient: $forwardingAddress" -isError
                                 # Add an unresolved entry for transparency in the output.
                                 $ForwardingDestinations += [PSCustomObject]@{
                                     UserModified = $targetUser
@@ -198,7 +198,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @(
             }
             else {
                 # Log a warning if the parsing of audit data fails.
-                Out-LogFile "Error: Failed to parse forwarding change audit data" -Notice
+                Out-LogFile "Error: Failed to parse forwarding change audit data" -isError
             }
         }
         else {
@@ -209,7 +209,7 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @(
     }
     catch {
         # Log an error if the analysis encounters an exception.
-        Out-LogFile "Error analyzing email forwarding changes: $($_.Exception.Message)" -Notice
+        Out-LogFile "Error analyzing email forwarding changes: $($_.Exception.Message)" -isError
         Write-Error -ErrorRecord $_ -ErrorAction Continue
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1

@@ -105,15 +105,15 @@ Function Get-HawkTenantAdminInboxRuleCreation {
                 }
             }
             else {
-                Out-LogFile "Error: Failed to parse inbox rule audit data" -Notice
+                Out-LogFile "Error: Failed to parse inbox rule audit data" -isError
             }
         }
         else {
-            Out-LogFile "No admin inbox rule creation events found in audit logs"
+            Out-LogFile "No admin inbox rule creation events found in audit logs" -Information
         }
     }
     catch {
-        Out-LogFile "Error analyzing admin inbox rule creation: $($_.Exception.Message)" -Notice
+        Out-LogFile "Error analyzing admin inbox rule creation: $($_.Exception.Message)" -isError
         Write-Error -ErrorRecord $_ -ErrorAction Continue
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1

@@ -66,7 +66,7 @@ Function Get-HawkTenantAdminInboxRuleModification {
         [array]$ModifiedInboxRules = Get-AllUnifiedAuditLogEntry -UnifiedSearch $searchCommand
 
         if ($ModifiedInboxRules.Count -gt 0) {
-            Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Action
+            Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Information
 
             # Write raw audit data with action flag
             $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Modification_Raw.json"
@@ -108,15 +108,15 @@ Function Get-HawkTenantAdminInboxRuleModification {
                 }
             }
             else {
-                Out-LogFile "Error: Failed to parse inbox rule audit data" -Notice
+                Out-LogFile "Error: Failed to parse inbox rule audit data" -isError
             }
         }
         else {
-            Out-LogFile "No inbox rule modifications found in audit logs"
+            Out-LogFile "No inbox rule modifications found in audit logs" -Information
         }
     }
     catch {
-        Out-LogFile "Error analyzing admin inbox rule modifications: $($_.Exception.Message)" -Notice
+        Out-LogFile "Error analyzing admin inbox rule modifications: $($_.Exception.Message)" -isError
         Write-Error -ErrorRecord $_ -ErrorAction Continue
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1

@@ -107,15 +107,15 @@ Function Get-HawkTenantAdminInboxRuleRemoval {
                 }
             }
             else {
-                Out-LogFile "Error: Failed to parse inbox rule removal audit data" -Notice
+                Out-LogFile "Error: Failed to parse inbox rule removal audit data" -isError
             }
         }
         else {
-            Out-LogFile "No inbox rule removals found in audit logs"
+            Out-LogFile "No inbox rule removals found in audit logs" -Information
         }
     }
     catch {
-        Out-LogFile "Error analyzing admin inbox rule removals: $($_.Exception.Message)" -Notice
+        Out-LogFile "Error analyzing admin inbox rule removals: $($_.Exception.Message)" -isError
         Write-Error -ErrorRecord $_ -ErrorAction Continue
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1

@@ -47,7 +47,7 @@ Function Get-HawkTenantAdminMailboxPermissionChange {
         [array]$PermissionChanges = Get-AllUnifiedAuditLogEntry -UnifiedSearch $searchCommand
 
         if ($PermissionChanges.Count -gt 0) {
-            Out-LogFile ("Found " + $PermissionChanges.Count + " mailbox permission changes in audit logs")
+            Out-LogFile ("Found " + $PermissionChanges.Count + " mailbox permission changes in audit logs") -Information
 
             # Process and output the results
             $ParsedChanges = $PermissionChanges | Get-SimpleUnifiedAuditLog
@@ -94,15 +94,15 @@ Function Get-HawkTenantAdminMailboxPermissionChange {
                 }
             }
             else {
-                Out-LogFile "Error: Failed to parse mailbox permission audit data" -Notice
+                Out-LogFile "Error: Failed to parse mailbox permission audit data" -isError
             }
         }
         else {
-            Out-LogFile "No mailbox permission changes found in audit logs"
+            Out-LogFile "No mailbox permission changes found in audit logs" -Information
         }
     }
     catch {
-        Out-LogFile "Error analyzing mailbox permission changes: $($_.Exception.Message)" -Notice
+        Out-LogFile "Error analyzing mailbox permission changes: $($_.Exception.Message)" -isError
         Write-Error -ErrorRecord $_ -ErrorAction Continue
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1

@@ -40,21 +40,21 @@
         $spnResults = @()
         $appResults = @()
 
-        Out-LogFile "Collecting Entra ID Service Principals"
+        Out-LogFile "Collecting Entra ID Service Principals" -Action
         try {
             $spns = Get-MgServicePrincipal -All | Sort-Object -Property DisplayName
-            Out-LogFile "Collecting Entra ID Registered Applications"
+            Out-LogFile "Collecting Entra ID Registered Applications" -Action
             $apps = Get-MgApplication -All | Sort-Object -Property DisplayName
         }
         catch {
-            Out-LogFile "Error retrieving Service Principals or Applications: $($_.Exception.Message)" -Notice
+            Out-LogFile "Error retrieving Service Principals or Applications: $($_.Exception.Message)" -isError
             Write-Error -ErrorRecord $_ -ErrorAction Continue
         }
     }
 
     PROCESS {
         try {
-            Out-LogFile "Exporting Service Principal Certificate and Password details"
+            Out-LogFile "Exporting Service Principal Certificate and Password details" -Action
             foreach ($spn in $spns) {
                 # Process key credentials
                 foreach ($key in $spn.KeyCredentials) {
@@ -96,7 +96,7 @@
                 $spnResults | ConvertTo-Json | Out-File -FilePath (Join-Path -Path $tenantPath -ChildPath "SPNCertsAndSecrets.json")
             }
 
-            Out-LogFile "Exporting Registered Applications Certificate and Password details"
+            Out-LogFile "Exporting Registered Applications Certificate and Password details" -Action
             foreach ($app in $apps) {
                 # Process key credentials
                 foreach ($key in $app.KeyCredentials) {
@@ -139,12 +139,12 @@
             }
         }
         catch {
-            Out-LogFile "Error processing credentials: $($_.Exception.Message)" -Notice
+            Out-LogFile "Error processing credentials: $($_.Exception.Message)" -isError
             Write-Error -ErrorRecord $_ -ErrorAction Continue
         }
     }
 
     END {
-        Out-Logfile "Completed exporting Azure AD Service Principal and App Registration Certificate and Password Details"
+        Out-Logfile "Completed exporting Azure AD Service Principal and App Registration Certificate and Password Details" -Information
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1

@@ -26,7 +26,7 @@ BEGIN{
     if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
         Initialize-HawkGlobalObject
     }
-    Out-LogFile "Gathering Azure AD Audit Logs events"
+    Out-LogFile "Gathering Azure AD Audit Logs events" -Action
 }
 PROCESS{
         $auditLogsResponse = Get-MgAuditLogDirectoryAudit -All
@@ -47,6 +47,6 @@ PROCESS{
     }
     END{
         $auditLogs | Sort-Object -Property ActivityDateTime | Out-MultipleFileType -FilePrefix "AzureADAuditLog" -csv -json
-        Out-Logfile "Completed exporting Azure AD audit logs"
+        Out-Logfile "Completed exporting Azure AD audit logs" -Information
     }
 }

Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1

@@ -38,7 +38,7 @@
 
     # Make sure the start date isn't more than 90 days in the past
     if ((Get-Date).adddays(-91) -gt $StartDate) {
-        Out-Logfile "[ERROR] - Start date is over 90 days in the past"
+        Out-Logfile "Start date is over 90 days in the past" -isError
         break
     }
 
@@ -64,7 +64,7 @@
 
         # See if we have results if so push to csv file
         if ($null -eq $output) {
-            Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd)
+            Out-LogFile ("No results found for time period " + $CurrentStart + " - " + $CurrentEnd) -Information
         }
         else {
             $output | Out-MultipleFileType -FilePrefix "Audit_Log_Full_$prefix" -Append -csv -json

Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1

@@ -33,15 +33,15 @@ PROCESS{
 $AzureApplicationActivityEvents = $null
 
 Out-LogFile "Searching Unified Audit Logs Azure Activities" -Action
-Out-LogFile "Searching for Application Activities"
+Out-LogFile "Searching for Application Activities" -Action
 
 # Search the unified audit log for events related to application activity
 # https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants
 $AzureApplicationActivityEvents = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Add OAuth2PermissionGrant.','Consent to application.' ")
 
 # If null we found no changes to nothing to do here
 if ($null -eq $AzureApplicationActivityEvents){
-	Out-LogFile "No Application related events found in the search time frame."
+	Out-LogFile "No Application related events found in the search time frame." -Information
 }
 
 # If not null then we must have found some events so flag them

Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1

@@ -64,18 +64,18 @@
     #Check Audit Log Config Setting and make sure it is enabled
     Out-LogFile "Gathering Tenant Configuration Information" -action
 
-    Out-LogFile "Admin Audit Log"
+    Out-LogFile "Gathering Admin Audit Log" -action
     Get-AdminAuditLogConfig | Out-MultipleFileType -FilePrefix "AdminAuditLogConfig" -txt -xml
 
-    Out-LogFile "Organization Configuration"
+    Out-LogFile "Gathering Organization Configuration" -action
     Get-OrganizationConfig| Out-MultipleFileType -FilePrefix "OrgConfig" -xml -txt
 
-    Out-LogFile "Remote Domains"
+    Out-LogFile "Gathering Remote Domains" -action
     Get-RemoteDomain | Out-MultipleFileType -FilePrefix "RemoteDomain" -xml -csv -json
 
-    Out-LogFile "Transport Rules"
+    Out-LogFile "Gathering Transport Rules" -action
     Get-TransportRule | Out-MultipleFileType -FilePrefix "TransportRules" -xml -csv -json
 
-    Out-LogFile "Transport Configuration"
+    Out-LogFile "Gathering Transport Configuration" -action
     Get-TransportConfig | Out-MultipleFileType -FilePrefix "TransportConfig" -xml -csv -json
 }

Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1

@@ -25,7 +25,7 @@
     [CmdletBinding()]
     param()
 
-    Out-LogFile "Gathering OAuth / Application Grants"
+    Out-LogFile "Gathering OAuth / Application Grants" -Action
 
     Test-GraphConnection
 
@@ -44,12 +44,12 @@
     }
 
     if ($flag) {
-        Out-LogFile 'Review the information at the following link to understand these results' -notice
-        Out-LogFile 'https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants' -notice
+        Out-LogFile 'Review the information at the following link to understand these results' -Information
+        Out-LogFile 'https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants' -Information
     }
     else {
-        Out-LogFile "To review this data follow:"
-        Out-LogFile "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants"
+        Out-LogFile "To review this data follow:" -Information
+        Out-LogFile "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants" -Information
     }
 
     $Grants | Out-MultipleFileType -FilePrefix "Consent_Grants" -csv -json

Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1

@@ -36,7 +36,7 @@ Function Get-HawkTenantDomainActivity {
 		$DomainConfigurationEvents = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Set-AcceptedDomain','Add-FederatedDomain','Update Domain','Add verified domain', 'Add unverified domain', 'remove unverified domain'")
 		# If null we found no changes to nothing to do here
 			if ($null -eq $DomainConfigurationEvents){
-			Out-LogFile "No Domain configuration changes found."
+			Out-LogFile "No Domain configuration changes found." -Information
 		}
 		# If not null then we must have found some events so flag them
 		else{
@@ -79,6 +79,6 @@ Function Get-HawkTenantDomainActivity {
 		}
 	}
 END{
-	Out-LogFile "Completed gathering Domain configuration changes"
+	Out-LogFile "Completed gathering Domain configuration changes" -Information
 }
 }#End Function Get-HawkTenantDomainActivity