Merge pull request #158 from T0pCyber/bugfix/157-bug-multiple-failed-…

…tests-after-fixing-workflow Bugfix/157 bug multiple failed tests after fixing workflow
T0pCyber · Dec 1, 2024 · 51cc62a · 51cc62a
2 parents f97dea8 + 3ffe946
commit 51cc62a
Show file tree

Hide file tree

Showing 14 changed files with 254 additions and 183 deletions.
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -7,6 +7,8 @@ on:
     branches:
       - master
       - Development
+      - bugfix/157-bug-multiple-failed-tests-after-fixing-workflow
+
 jobs:
   validate:
     runs-on: windows-2019
@@ -16,6 +18,6 @@ jobs:
       - name: Install Prerequisites
         run: .\build\vsts-prerequisites.ps1
         shell: powershell
-    #   - name: Validate
-    #     run: .\build\vsts-validate.ps1
-    #     shell: powershell
+      - name: Validate
+        run: .\build\vsts-validate.ps1
+        shell: powershell
diff --git a/Hawk/Hawk.psd1 b/Hawk/Hawk.psd1
@@ -52,13 +52,12 @@
 	'Get-HawkTenantInboxRules',
 	'Get-HawkTenantConsentGrants',
 	'Get-HawkTenantRBACChanges',
-	'Get-HawkTenantAzureAuditLog',
+	'Get-HawkTenantAzureAppAuditLog',
 	'Get-HawkUserAuthHistory',
 	'Get-HawkUserConfiguration',
 	'Get-HawkUserEmailForwarding',
 	'Get-HawkUserInboxRule',
 	'Get-HawkUserMailboxAuditing',
-	'Initialize-HawkGlobalObject',
 	'Search-HawkTenantActivityByIP',
 	'Search-HawkTenantEXOAuditLog',
 	'Show-HawkHelp',
@@ -80,7 +79,7 @@
 	'Get-HawkTenantAppAndSPNCredentialDetails',
 	'Get-HawkTenantAzureADUsers',
 	'Get-HawkTenantDomainActivity',
-	'Get-HawkTenantEDiscoveryLogs'
+	'Get-HawkTenantEDiscoveryLog'
 
 	# Cmdlets to export from this module
 	# CmdletsToExport = ''

diff --git a/Hawk/changelog.md b/Hawk/changelog.md
@@ -1,26 +1,32 @@
 # Changelog
 
 ## 2.0.0 (2021-01-05)
+
 - Initial Transmigrated Release with new owner
+
 ## 2.0.1 (2021-02-07)
+
 - Incorporated workflow and pester tests
 - Readme file updated with https://cloudforensicator.com link
 - Updated Azure AD SKU options that identity "Premium Licensing"
 - Issue #25 - Unified Audit Log AuditData JSON parsing added to "Exchange_UAL_Audit.csv"
 
 ## 2.0.2 (2021-05-05)
+
 - Fixed Hidden Mailbox Rule EWS Credential
 - Updated Robust Cloud Command version to 2.0.1
 - Updated Get-HawkTenantInboxRules.ps1 to new switch in update Robust Cloud Command
 - Deprecate "Get-HawkTenantAzureAuthenticationLogs" from Hawk. Azure AD Graph was deprecated and no longer supported. Currently
-seeking alternate solution to retrieve Azure AD Sign-in logs.
+  seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Removed dependency of Cloud Connect
 - Added dependency of Exchange Online Management V2 PowerShell module and updated functions to reflect
 
 ## 2.0.3.1 (2021-05-05)
+
 - Fixed MSOnline Requirement to manifest
 
 ## 3.0.0 (2022-04-09)
+
 - Updated community pull requests
 - Encoding to UTF8 - Enhancement - TakayukiTomatsuri
 - Updated $RangeEnd to datetime - Bug - cfc-zcarter
@@ -29,10 +35,11 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Updated Get-HawkTenantEXOAdmins to accurately list admins that is a group
 
 ## 3.1.0 (2023-03-30)
+
 - Updated community pull requests fixing typo
 - Updated Get-HawkTenantAuditLog.ps1 to Get-HawkTenantAppAuditLog.ps1
 - Added "Get-HawkTenantDomainActivity" function - This function will pull domain config changes from the UAL
-- Added "Get-HawkTenantEDiscoveryLogs" function - This function will pull EDiscovery logs from the UAL
+- Added "Get-HawkTenantEDiscoveryLog" function - This function will pull EDiscovery logs from the UAL
 - Added Export of JSON to "Out-Multifileype" function. This will export returned results to JSON file for further ingestion into a SIEM or other data analysis platform
 - Remove MSOnline requirements
 - Added MS Graph requirements to replace MSOnline
@@ -46,4 +53,4 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 - Removed Test-MSOnlineConnection.ps1 - MSOnline requirements have been removed from Hawk
 - Added logging filepath checking the Start-HawkUserInvestigation.ps1
 - Updated Get-HawkTenantAZAdmins.ps1. Removed AzureAD module. Added MS Graph cmdlets.
-- Updated contact email
+- Updated contact email
diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1
@@ -0,0 +1,76 @@
+Function Get-HawkTenantEDiscoveryLog {
+    <#
+    .SYNOPSIS
+        Gets Unified Audit Logs (UAL) data for eDiscovery
+    .DESCRIPTION
+        Searches the Unified Audit Log (UAL) for eDiscovery events and activities.
+        This includes searches, exports, and management activities related to
+        eDiscovery cases. The function checks for any eDiscovery activities within
+        the timeframe specified in the Hawk global configuration object.
+        
+        The results can help identify:
+        * When eDiscovery searches were performed
+        * Who performed eDiscovery activities
+        * Which cases were accessed or modified
+        * What operations were performed
+
+    .EXAMPLE
+        Get-HawkTenantEDiscoveryLog
+
+        This will search for all eDiscovery-related activities in the Unified Audit Log
+        for the configured time period and export the results to CSV format.
+
+    .EXAMPLE
+        $logs = Get-HawkTenantEDiscoveryLog
+        $logs | Where-Object {$_.Operation -eq "SearchCreated"}
+
+        This example shows how to retrieve eDiscovery logs and filter for specific
+        operations like new search creation.
+
+    .OUTPUTS
+        File: eDiscoveryLogs.csv
+        Path: \Tenant
+        Description: Contains all eDiscovery activities found in the UAL with fields for:
+        - CreationTime: When the activity occurred
+        - Id: Unique identifier for the activity
+        - Operation: Type of eDiscovery action performed
+        - Workload: The workload where the activity occurred
+        - UserID: User who performed the action
+        - Case: eDiscovery case name
+        - CaseId: Unique identifier for the eDiscovery case
+        - Cmdlet: Command that was executed (if applicable)
+    #>
+    # Search UAL audit logs for any Domain configuration changes
+    Test-EXOConnection
+    Send-AIEvent -Event "CmdRun"
+
+    Out-LogFile "Gathering any eDiscovery logs" -action
+
+    # Search UAL audit logs for any Domain configuration changes
+    $eDiscoveryLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'Discovery'")
+    # If null we found no changes to nothing to do here
+    if ($null -eq $eDiscoveryLogs) {
+        Out-LogFile "No eDiscovery Logs found"
+    }
+
+    # If not null then we must have found some events so flag them
+    else {
+        Out-LogFile "eDiscovery Log have been found." -Notice
+        Out-LogFile "Please review these eDiscoveryLogs.csv to validate the activity is legitimate." -Notice
+        # Go thru each even and prepare it to output to CSV
+        Foreach ($log in $eDiscoveryLogs) {
+            $log1 = $log.auditdata | ConvertFrom-Json
+            $report = $log1  | Select-Object -Property CreationTime,
+            Id,
+            Operation,
+            Workload,
+            UserID,
+            Case,
+            @{Name = 'CaseID'; Expression = { ($_.ExtendedProperties | Where-Object { $_.Name -eq 'CaseId' }).value } },
+            @{Name = 'Cmdlet'; Expression = { ($_.Parameters | Where-Object { $_.Name -eq 'Cmdlet' }).value } }
+
+            $report | Out-MultipleFileType -fileprefix "eDiscoveryLogs" -csv -append
+        }
+
+    }
+}
diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLogs.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLogs.ps1
diff --git a/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1 b/Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1
@@ -1,5 +1,5 @@
-Function Search-HawkTenantEXOAuditLog {
-<#
+Function Search-HawkTenantEXOAuditLog {
+    <#
 .SYNOPSIS
     Searches the admin audit logs for possible bad actor activities
 .DESCRIPTION

diff --git a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1
@@ -1,64 +1,103 @@
 Function Start-HawkTenantInvestigation {
-<#
+	<#
 .SYNOPSIS
-	Gathers common data about a tenant.
+    Gathers common data about a tenant.
 .DESCRIPTION
-	Runs all Hawk Basic tenant related cmdlets and gathers the data.
-
-	Cmdlet									Information Gathered
-	-------------------------				-------------------------
-	Get-HawkTenantConfigurationn			Basic Tenant information
-	Get-HawkTenantEDiscoveryConfiguration	Looks for changes to ediscovery configuration
-	Search-HawkTenantEXOAuditLog			Searches the EXO audit log for activity
-	Get-HawkTenantRBACChanges				Looks for changes to Roles Based Access Control
-.OUTPUTS
-	See help from individual cmdlets for output list.
-	All outputs are placed in the $Hawk.FilePath directory
+    Runs all Hawk Basic tenant related cmdlets and gathers data about the tenant's configuration,
+    security settings, and audit logs. This comprehensive investigation helps identify potential
+    security issues and configuration changes.
+
+.PARAMETER Confirm
+    Prompts for confirmation before running operations that could modify system state.
+
+.PARAMETER WhatIf
+    Shows what would happen if the command runs. The command is not run.
+
+.EXAMPLE
+    PS C:\> Start-HawkTenantInvestigation
+    Runs a complete tenant investigation, gathering all available data.
+
 .EXAMPLE
-	Start-HawkTenantInvestigation
+    PS C:\> Start-HawkTenantInvestigation -WhatIf
+    Shows what data gathering operations would be performed without executing them.
 
-R	uns all of the tenant investigation cmdlets.
+.EXAMPLE
+    PS C:\> Start-HawkTenantInvestigation -Confirm
+    Prompts for confirmation before running each data gathering operation.
+
+.OUTPUTS
+    Various CSV, JSON, and XML files containing investigation results.
+    See help from individual cmdlets for specific output details.
+    All outputs are placed in the $Hawk.FilePath directory.
 #>
+	[CmdletBinding(SupportsShouldProcess)]
+	param()
+
 	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
 		Initialize-HawkGlobalObject
 	}
 
 	Out-LogFile "Starting Tenant Sweep" -action
 	Send-AIEvent -Event "CmdRun"
 
-	Out-LogFile "Running Get-HawkTenantConfiguration" -action
-	Get-HawkTenantConfiguration
+	# Wrap operations in ShouldProcess checks
+	if ($PSCmdlet.ShouldProcess("Tenant Configuration", "Get configuration data")) {
+		Out-LogFile "Running Get-HawkTenantConfiguration" -action
+		Get-HawkTenantConfiguration
+	}
 
-	Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
-	Get-HawkTenantEDiscoveryConfiguration
+	if ($PSCmdlet.ShouldProcess("EDiscovery Configuration", "Get eDiscovery configuration")) {
+		Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
+		Get-HawkTenantEDiscoveryConfiguration
+	}
 
-	Out-LogFile "Running Search-HawkTenantEXOAuditLog" -action
-	Search-HawkTenantEXOAuditLog
+	if ($PSCmdlet.ShouldProcess("Exchange Audit Log", "Search audit logs")) {
+		Out-LogFile "Running Search-HawkTenantEXOAuditLog" -action
+		Search-HawkTenantEXOAuditLog
+	}
 
-	Out-LogFile "Running Get-HawkTenantEDiscoveryLogs"
-	Get-HawkTenantEDiscoveryLogs -action
+	if ($PSCmdlet.ShouldProcess("EDiscovery Logs", "Get eDiscovery logs")) {
+		Out-LogFile "Running Get-HawkTenantEDiscoveryLogs" -action
+		Get-HawkTenantEDiscoveryLogs
+	}
 
-	Out-LogFile "Running Get-HawkTenantDomainActivity" -action
-	Get-HawkTenantDomainActivity
+	if ($PSCmdlet.ShouldProcess("Domain Activity", "Get domain activity")) {
+		Out-LogFile "Running Get-HawkTenantDomainActivity" -action
+		Get-HawkTenantDomainActivity
+	}
 
-	Out-LogFile "Running Get-HawkTenantRBACChanges" -action
-	Get-HawkTenantRBACChanges
+	if ($PSCmdlet.ShouldProcess("RBAC Changes", "Get RBAC changes")) {
+		Out-LogFile "Running Get-HawkTenantRBACChanges" -action
+		Get-HawkTenantRBACChanges
+	}
 
-	Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
-	Get-HawkTenantAzureAppAuditLog
+	if ($PSCmdlet.ShouldProcess("Azure App Audit Log", "Get app audit logs")) {
+		Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
+		Get-HawkTenantAzureAppAuditLog
+	}
 
-	Out-LogFile "Running Get-HawkTenantEXOAdmins" -action
-	Get-HawkTenantEXOAdmins
+	if ($PSCmdlet.ShouldProcess("Exchange Admins", "Get Exchange admin list")) {
+		Out-LogFile "Running Get-HawkTenantEXOAdmins" -action
+		Get-HawkTenantEXOAdmins
+	}
 
-	Out-LogFile "Running Get-HawkTenantConsentGrants" -action
-	Get-HawkTenantConsentGrants
+	if ($PSCmdlet.ShouldProcess("Consent Grants", "Get consent grants")) {
+		Out-LogFile "Running Get-HawkTenantConsentGrants" -action
+		Get-HawkTenantConsentGrants
+	}
 
-	Out-LogFile "Running Get-HawkTenantAZAdmins" -action
-	Get-HawkTenantAZAdmins
+	if ($PSCmdlet.ShouldProcess("Azure Admins", "Get Azure admin list")) {
+		Out-LogFile "Running Get-HawkTenantAZAdmins" -action
+		Get-HawkTenantAZAdmins
+	}
 
-	Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetails" -action
-	Get-HawkTenantAppAndSPNCredentialDetails
+	if ($PSCmdlet.ShouldProcess("App and SPN Credentials", "Get credential details")) {
+		Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetails" -action
+		Get-HawkTenantAppAndSPNCredentialDetails
+	}
 
-	Out-Logfile "Running Get-HawkTenantAzureADUsers" -action
-	Get-HawkTenantAzureADUsers
+	if ($PSCmdlet.ShouldProcess("Azure AD Users", "Get Azure AD user list")) {
+		Out-LogFile "Running Get-HawkTenantAzureADUsers" -action
+		Get-HawkTenantAzureADUsers
+	}
 }