Visit hawkforensics.io for comprehensive documentation including:
- Detailed installation and permissions guides
- Step-by-step tutorials and "How to" videos
- Troubleshooting help
- Best practices and usage examples
Hawk is a free, open-source PowerShell module that streamlines the collection of forensic data from Microsoft cloud environments. Designed primarily for security professionals, incident responders, and administrators, Hawk automates the gathering of critical log data across Microsoft services, with a focus on Microsoft 365 (M365) and Microsoft Entra ID.
- Data Collection: Efficiently gather forensic data with automated collection processes
- Security Analysis: Examine security configurations, audit logs, and user activities
- Export & Report: Generate both CSV reports and JSON data for SIEM integration
While Hawk includes basic analysis capabilities to flag potential items of interest (such as suspicious mail forwarding rules, over-privileged applications, or risky user activities), it is fundamentally a data collection tool rather than an automated threat detection system.
Hawk streamlines data collection compared to manually running individual queries through web interfaces, freeing up those resources for other administrative tasks. The tool's goal is to quickly get you the data needed to come to a conclusion; not to make the conclusion for you.
- Windows operating system with administrator access
- PowerShell 5.0 or above (PowerShell Core will be supported in future)
- Network connectivity to:
- PowerShell Gallery
- Graph API
- Microsoft 365 services
Install-Module -Name HawkHawk offers two main investigation approaches:
- Examines broader Microsoft Cloud tenant settings, audit logs, and security configurations
- Provides an excellent starting point for identifying suspicious patterns
- Use
Start-HawkTenantInvestigationto begin a tenant-wide investigation
- Performs deep-dive analysis into individual user accounts
- Examines mailbox configurations, inbox rules, and login histories
- Use
Start-HawkUserInvestigation -UserPrincipleName <[email protected]>to investigate specific users
Hawk organizes investigation results into a structured directory hierarchy:
📂 [Investigation Root]
├── 📂 Tenant/
│ ├── AdminAuditLogConfig.csv
│ ├── OrgConfig.csv
│ ├── _Investigate_*.csv
│ └── [other tenant files]
├── 📂 [[email protected]]/
│ ├── Mailbox_Info.csv
│ ├── InboxRules.csv
│ ├── _Investigate_*.csv
│ └── [other user files]
└── 📂 [[email protected]]/
└── [similar structure]
Files prefixed with _Investigate_ contain potentially suspicious findings that warrant further review.
Everyone is welcome to contribute to Hawk. The goal is to maintain a community-led tool that provides security professionals with the resources they need.
- Join the Development Team: Contact us at [email protected]
- Submit Feature Requests: Use our feature request template
- Report Issues: Use our bug report template
For critical issues or inquiries, email [email protected].
Hawk, the open-source PowerShell module, collects limited usage data to help improve the module by identifying the most frequently used features. This data assists in prioritizing updates, enhancements, and new functionality.
✅ Collected Data:
- Function names that are run within Hawk.
- Region of use
❌ Not Collected:
- No user-identifiable data.
- No script inputs, outputs, or arguments.
- No personal, confidential, or sensitive data.
- No data is shared or sold.
The telemetry helps us understand which functions are used most frequently so we can:
- Prioritize updates and improvements.
- Optimize performance for widely used features.
- Make data-driven decisions about future development.
The collected data is strictly used for internal development purposes to enhance the Hawk module. It is never shared, sold, or used for any form of tracking beyond feature usage.
