fix: Add ShouldProcess support to Start-HawkTenantInvestigation

- Added CmdletBinding attribute with SupportsShouldProcess - Wrapped operations in ShouldProcess checks with descriptive messages - Added WhatIf example to help documentation - Fixed typos and inconsistent function names in comments - Fixed parameter placement in EDiscoveryLogs call - Addresses PSScriptAnalyzer warning about state-changing verbs Required for PowerShell standard practices when using Start verb.
T0pCyber · Nov 29, 2024 · e12627c · e12627c
1 parent 648aaff
commit e12627c
Show file tree

Hide file tree

Showing 10 changed files with 191 additions and 115 deletions.
diff --git a/Hawk/Hawk.psd1 b/Hawk/Hawk.psd1
@@ -80,7 +80,7 @@
 	'Get-HawkTenantAppAndSPNCredentialDetails',
 	'Get-HawkTenantAzureADUsers',
 	'Get-HawkTenantDomainActivity',
-	'Get-HawkTenantEDiscoveryLogs'
+	'Get-HawkTenantEDiscoveryLog'
 
 	# Cmdlets to export from this module
 	# CmdletsToExport = ''

diff --git a/Hawk/changelog.md b/Hawk/changelog.md
@@ -1,26 +1,32 @@
 # Changelog
 
 ## 2.0.0 (2021-01-05)
+
 - Initial Transmigrated Release with new owner
+
 ## 2.0.1 (2021-02-07)
+
 - Incorporated workflow and pester tests
 - Readme file updated with https://cloudforensicator.com link
 - Updated Azure AD SKU options that identity "Premium Licensing"
 - Issue #25 - Unified Audit Log AuditData JSON parsing added to "Exchange_UAL_Audit.csv"
 
 ## 2.0.2 (2021-05-05)
+
 - Fixed Hidden Mailbox Rule EWS Credential
 - Updated Robust Cloud Command version to 2.0.1
 - Updated Get-HawkTenantInboxRules.ps1 to new switch in update Robust Cloud Command
 - Deprecate "Get-HawkTenantAzureAuthenticationLogs" from Hawk. Azure AD Graph was deprecated and no longer supported. Currently
-seeking alternate solution to retrieve Azure AD Sign-in logs.
+  seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Removed dependency of Cloud Connect
 - Added dependency of Exchange Online Management V2 PowerShell module and updated functions to reflect
 
 ## 2.0.3.1 (2021-05-05)
+
 - Fixed MSOnline Requirement to manifest
 
 ## 3.0.0 (2022-04-09)
+
 - Updated community pull requests
 - Encoding to UTF8 - Enhancement - TakayukiTomatsuri
 - Updated $RangeEnd to datetime - Bug - cfc-zcarter
@@ -29,10 +35,11 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Updated Get-HawkTenantEXOAdmins to accurately list admins that is a group
 
 ## 3.1.0 (2023-03-30)
+
 - Updated community pull requests fixing typo
 - Updated Get-HawkTenantAuditLog.ps1 to Get-HawkTenantAppAuditLog.ps1
 - Added "Get-HawkTenantDomainActivity" function - This function will pull domain config changes from the UAL
-- Added "Get-HawkTenantEDiscoveryLogs" function - This function will pull EDiscovery logs from the UAL
+- Added "Get-HawkTenantEDiscoveryLog" function - This function will pull EDiscovery logs from the UAL
 - Added Export of JSON to "Out-Multifileype" function. This will export returned results to JSON file for further ingestion into a SIEM or other data analysis platform
 - Remove MSOnline requirements
 - Added MS Graph requirements to replace MSOnline
@@ -46,4 +53,4 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Removed Test-MSOnlineConnection.ps1 - MSOnline requirements have been removed from Hawk
 - Added logging filepath checking the Start-HawkUserInvestigation.ps1
 - Updated Get-HawkTenantAZAdmins.ps1. Removed AzureAD module. Added MS Graph cmdlets.
-- Updated contact email
+- Updated contact email
diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1
@@ -0,0 +1,76 @@
+Function Get-HawkTenantEDiscoveryLog {
+    <#
+    .SYNOPSIS
+        Gets Unified Audit Logs (UAL) data for eDiscovery
+    .DESCRIPTION
+        Searches the Unified Audit Log (UAL) for eDiscovery events and activities. 
+        This includes searches, exports, and management activities related to 
+        eDiscovery cases. The function checks for any eDiscovery activities within 
+        the timeframe specified in the Hawk global configuration object.
+        
+        The results can help identify:
+        * When eDiscovery searches were performed
+        * Who performed eDiscovery activities
+        * Which cases were accessed or modified
+        * What operations were performed
+
+    .EXAMPLE
+        Get-HawkTenantEDiscoveryLog
+
+        This will search for all eDiscovery-related activities in the Unified Audit Log
+        for the configured time period and export the results to CSV format.
+
+    .EXAMPLE
+        $logs = Get-HawkTenantEDiscoveryLog
+        $logs | Where-Object {$_.Operation -eq "SearchCreated"}
+
+        This example shows how to retrieve eDiscovery logs and filter for specific
+        operations like new search creation.
+
+    .OUTPUTS
+        File: eDiscoveryLogs.csv
+        Path: \Tenant
+        Description: Contains all eDiscovery activities found in the UAL with fields for:
+        - CreationTime: When the activity occurred
+        - Id: Unique identifier for the activity
+        - Operation: Type of eDiscovery action performed
+        - Workload: The workload where the activity occurred
+        - UserID: User who performed the action
+        - Case: eDiscovery case name
+        - CaseId: Unique identifier for the eDiscovery case
+        - Cmdlet: Command that was executed (if applicable)
+    #>
+    # Search UAL audit logs for any Domain configuration changes
+    Test-EXOConnection
+    Send-AIEvent -Event "CmdRun"
+
+    Out-LogFile "Gathering any eDiscovery logs" -action
+
+    # Search UAL audit logs for any Domain configuration changes
+    $eDiscoveryLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'Discovery'")
+    # If null we found no changes to nothing to do here
+    if ($null -eq $eDiscoveryLogs) {
+        Out-LogFile "No eDiscovery Logs found"
+    }
+
+    # If not null then we must have found some events so flag them
+    else {
+        Out-LogFile "eDiscovery Log have been found." -Notice
+        Out-LogFile "Please review these eDiscoveryLogs.csv to validate the activity is legitimate." -Notice
+        # Go thru each even and prepare it to output to CSV
+        Foreach ($log in $eDiscoveryLogs) {
+            $log1 = $log.auditdata | ConvertFrom-Json
+            $report = $log1  | Select-Object -Property CreationTime,
+            Id,
+            Operation,
+            Workload,
+            UserID,
+            Case,
+            @{Name = 'CaseID'; Expression = { ($_.ExtendedProperties | Where-Object { $_.Name -eq 'CaseId' }).value } },
+            @{Name = 'Cmdlet'; Expression = { ($_.Parameters | Where-Object { $_.Name -eq 'Cmdlet' }).value } }
+
+            $report | Out-MultipleFileType -fileprefix "eDiscoveryLogs" -csv -append
+        }
+
+    }
+}
diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLogs.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLogs.ps1
diff --git a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1
@@ -1,5 +1,5 @@
-Function Search-HawkTenantEXOAuditLog {
-<#
+Function Search-HawkTenantEXOAuditLog {
+    <#
 .SYNOPSIS
     Searches the admin audit logs for possible bad actor activities
 .DESCRIPTION

diff --git a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1
@@ -1,64 +1,97 @@
 Function Start-HawkTenantInvestigation {
-<#
-.SYNOPSIS
-	Gathers common data about a tenant.
-.DESCRIPTION
-	Runs all Hawk Basic tenant related cmdlets and gathers the data.
-
-	Cmdlet									Information Gathered
-	-------------------------				-------------------------
-	Get-HawkTenantConfigurationn			Basic Tenant information
-	Get-HawkTenantEDiscoveryConfiguration	Looks for changes to ediscovery configuration
-	Search-HawkTenantEXOAuditLog			Searches the EXO audit log for activity
-	Get-HawkTenantRBACChanges				Looks for changes to Roles Based Access Control
-.OUTPUTS
-	See help from individual cmdlets for output list.
-	All outputs are placed in the $Hawk.FilePath directory
-.EXAMPLE
-	Start-HawkTenantInvestigation
-
-R	uns all of the tenant investigation cmdlets.
-#>
+	[CmdletBinding(SupportsShouldProcess)]
+	param()
+
+	<#
+    .SYNOPSIS
+        Gathers common data about a tenant.
+    .DESCRIPTION
+        Runs all Hawk Basic tenant related cmdlets and gathers the data.
+
+        Cmdlet                                  Information Gathered
+        -------------------------               -------------------------
+        Get-HawkTenantConfigurationn           Basic Tenant information
+        Get-HawkTenantEDiscoveryConfiguration  Looks for changes to ediscovery configuration
+        Search-HawkTenantEXOAuditLog          Searches the EXO audit log for activity
+        Get-HawkTenantRBACChanges             Looks for changes to Roles Based Access Control
+    .OUTPUTS
+        See help from individual cmdlets for output list.
+        All outputs are placed in the $Hawk.FilePath directory
+    .EXAMPLE
+        Start-HawkTenantInvestigation
+
+        Runs all of the tenant investigation cmdlets.
+    .EXAMPLE
+        Start-HawkTenantInvestigation -WhatIf
+
+        Shows what actions would be performed without actually executing them.
+    #>
+
 	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
 		Initialize-HawkGlobalObject
 	}
 
 	Out-LogFile "Starting Tenant Sweep" -action
 	Send-AIEvent -Event "CmdRun"
 
-	Out-LogFile "Running Get-HawkTenantConfiguration" -action
-	Get-HawkTenantConfiguration
+	# Wrap operations in ShouldProcess checks
+	if ($PSCmdlet.ShouldProcess("Tenant Configuration", "Get configuration data")) {
+		Out-LogFile "Running Get-HawkTenantConfiguration" -action
+		Get-HawkTenantConfiguration
+	}
 
-	Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
-	Get-HawkTenantEDiscoveryConfiguration
+	if ($PSCmdlet.ShouldProcess("EDiscovery Configuration", "Get eDiscovery configuration")) {
+		Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
+		Get-HawkTenantEDiscoveryConfiguration
+	}
 
-	Out-LogFile "Running Search-HawkTenantEXOAuditLog" -action
-	Search-HawkTenantEXOAuditLog
+	if ($PSCmdlet.ShouldProcess("Exchange Audit Log", "Search audit logs")) {
+		Out-LogFile "Running Search-HawkTenantEXOAuditLog" -action
+		Search-HawkTenantEXOAuditLog
+	}
 
-	Out-LogFile "Running Get-HawkTenantEDiscoveryLogs"
-	Get-HawkTenantEDiscoveryLogs -action
+	if ($PSCmdlet.ShouldProcess("EDiscovery Logs", "Get eDiscovery logs")) {
+		Out-LogFile "Running Get-HawkTenantEDiscoveryLogs" -action
+		Get-HawkTenantEDiscoveryLogs
+	}
 
-	Out-LogFile "Running Get-HawkTenantDomainActivity" -action
-	Get-HawkTenantDomainActivity
+	if ($PSCmdlet.ShouldProcess("Domain Activity", "Get domain activity")) {
+		Out-LogFile "Running Get-HawkTenantDomainActivity" -action
+		Get-HawkTenantDomainActivity
+	}
 
-	Out-LogFile "Running Get-HawkTenantRBACChanges" -action
-	Get-HawkTenantRBACChanges
+	if ($PSCmdlet.ShouldProcess("RBAC Changes", "Get RBAC changes")) {
+		Out-LogFile "Running Get-HawkTenantRBACChanges" -action
+		Get-HawkTenantRBACChanges
+	}
 
-	Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
-	Get-HawkTenantAzureAppAuditLog
+	if ($PSCmdlet.ShouldProcess("Azure App Audit Log", "Get app audit logs")) {
+		Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
+		Get-HawkTenantAzureAppAuditLog
+	}
 
-	Out-LogFile "Running Get-HawkTenantEXOAdmins" -action
-	Get-HawkTenantEXOAdmins
+	if ($PSCmdlet.ShouldProcess("Exchange Admins", "Get Exchange admin list")) {
+		Out-LogFile "Running Get-HawkTenantEXOAdmins" -action
+		Get-HawkTenantEXOAdmins
+	}
 
-	Out-LogFile "Running Get-HawkTenantConsentGrants" -action
-	Get-HawkTenantConsentGrants
+	if ($PSCmdlet.ShouldProcess("Consent Grants", "Get consent grants")) {
+		Out-LogFile "Running Get-HawkTenantConsentGrants" -action
+		Get-HawkTenantConsentGrants
+	}
 
-	Out-LogFile "Running Get-HawkTenantAZAdmins" -action
-	Get-HawkTenantAZAdmins
+	if ($PSCmdlet.ShouldProcess("Azure Admins", "Get Azure admin list")) {
+		Out-LogFile "Running Get-HawkTenantAZAdmins" -action
+		Get-HawkTenantAZAdmins
+	}
 
-	Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetails" -action
-	Get-HawkTenantAppAndSPNCredentialDetails
+	if ($PSCmdlet.ShouldProcess("App and SPN Credentials", "Get credential details")) {
+		Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetails" -action
+		Get-HawkTenantAppAndSPNCredentialDetails
+	}
 
-	Out-Logfile "Running Get-HawkTenantAzureADUsers" -action
-	Get-HawkTenantAzureADUsers
+	if ($PSCmdlet.ShouldProcess("Azure AD Users", "Get Azure AD user list")) {
+		Out-LogFile "Running Get-HawkTenantAzureADUsers" -action
+		Get-HawkTenantAzureADUsers
+	}
 }
diff --git a/Hawk/functions/User/Get-HawkUserConfiguration.ps1 b/Hawk/functions/User/Get-HawkUserConfiguration.ps1
@@ -1,5 +1,5 @@
-Function Get-HawkUserConfiguration {
-<#
+Function Get-HawkUserConfiguration {
+	<#
 .SYNOPSIS
 	Gathers baseline information about the provided user.
 .DESCRIPTION
@@ -38,38 +38,38 @@ Function Get-HawkUserConfiguration {
 	Gathers the user configuration for all users who have "C-Level" set in CustomAttribute1
 #>
 
-    param
-    (
-        [Parameter(Mandatory = $true)]
-        [array]$UserPrincipalName
-    )
+	param
+	(
+		[Parameter(Mandatory = $true)]
+		[array]$UserPrincipalName
+	)
 
-    Test-EXOConnection
-    Send-AIEvent -Event "CmdRun"
+	Test-EXOConnection
+	Send-AIEvent -Event "CmdRun"
 
-    # Verify our UPN input
-    [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName
+	# Verify our UPN input
+	[array]$UserArray = Test-UserObject -ToTest $UserPrincipalName
 
-    foreach ($Object in $UserArray) {
-        [string]$User = $Object.UserPrincipalName
+	foreach ($Object in $UserArray) {
+		[string]$User = $Object.UserPrincipalName
 
-        Out-LogFile ("Gathering information about " + $User) -action
+		Out-LogFile ("Gathering information about " + $User) -action
 
-        #Gather mailbox information
-        Out-LogFile "Gathering Mailbox Information"
-		$mbx = Get-EXOMailbox -Identity $user 
+		#Gather mailbox information
+		Out-LogFile "Gathering Mailbox Information"
+		$mbx = Get-EXOMailbox -Identity $user
 
 		# Test to see if we have an archive and include that info as well
-		if (!($null -eq $mbx.archivedatabase)){
+		if (!($null -eq $mbx.archivedatabase)) {
 			Get-EXOMailboxStatistics -identity $user -Archive | Out-MultipleFileType -FilePrefix "Mailbox_Archive_Statistics" -user $user -txt
 		}
 
 		$mbx | Out-MultipleFileType -FilePrefix "Mailbox_Info" -User $User -txt
 		Get-EXOMailboxStatistics -Identity $user | Out-MultipleFileType -FilePrefix "Mailbox_Statistics" -User $User -txt
 		Get-EXOMailboxFolderStatistics -identity $user | Out-MultipleFileType -FilePrefix "Mailbox_Folder_Statistics" -User $User -txt
 
-        # Gather cas mailbox sessions
-        Out-LogFile "Gathering CAS Mailbox Information"
+		# Gather cas mailbox sessions
+		Out-LogFile "Gathering CAS Mailbox Information"
 		Get-EXOCasMailbox -identity $user | Out-MultipleFileType -FilePrefix "CAS_Mailbox_Info" -User $User -txt
 	}
 }