Merge pull request #155 from T0pCyber/navarrodev

Navarrodev

Hawk/Hawk.psd1

@@ -3,7 +3,7 @@
 	RootModule = 'Hawk.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '3.1.0'
+	ModuleVersion = '3.1.1'
 
 	# ID used to uniquely identify this module
 	GUID = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
@@ -28,11 +28,11 @@
 	# Modules that must be imported into the global environment prior to importing
 	# this module
 	RequiredModules = @(
-		@{ModuleName = 'PSFramework'; ModuleVersion = '1.4.150'},
+		@{ModuleName = 'PSFramework'; ModuleVersion = '1.12.346'},
 		@{ModuleName = 'PSAppInsights'; ModuleVersion = '0.9.6'},
 		@{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.0.0'},
 		@{ModuleName = 'RobustCloudCommand'; ModuleVersion = '2.0.1'},
-		@{ModuleName = 'AzureAD'; ModuleVersion = '2.0.2.140'},
+		#@{ModuleName = 'AzureAD'; ModuleVersion = '2.0.2.182'},
 		@{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '1.23.0'},
 		@{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '1.23.0'}
 	)
@@ -67,6 +67,7 @@
 		'Start-HawkUserInvestigation',
 		'Update-HawkModule',
 		'Get-HawkUserAdminAudit',
+		'Get-HawkTenantAuditLog',
 		'Get-HawkTenantAuthHistory',
 		'Get-HawkUserHiddenRule',
 		'Get-HawkMessageHeader',

Hawk/Resolving IP Locations

@@ -0,0 +1 @@
+��

Hawk/changelog.md

@@ -22,18 +22,28 @@ seeking alternate solution to retrieve Azure AD Sign-in logs.
 
 ## 3.0.0 (2022-04-09)
 - Updated community pull requests
-a. Encoding to UTF8 - Enhancement - TakayukiTomatsuri
-b. Updated $RangeEnd to datetime - Bug - cfc-zcarter
-c. Updated Sweep variable - Bug
-d. Added Default Tenant Name to Hawk folder name - Issue#86 - Enhancement - Snickasaurus
-e. Updated Get-HawkTenantEXOAdmins to accurately list admins that is a group
+- Encoding to UTF8 - Enhancement - TakayukiTomatsuri
+- Updated $RangeEnd to datetime - Bug - cfc-zcarter
+- Updated Sweep variable - Bug
+- Added Default Tenant Name to Hawk folder name - Issue#86 - Enhancement - Snickasaurus
+- Updated Get-HawkTenantEXOAdmins to accurately list admins that is a group
 
 ## 3.1.0 (2023-03-30)
-a. Updated community pull requests fixing typo
-b. Updated Get-HawkTenantAuditLog.ps1 to Get-HawkTenantAppAuditLog.ps1
-c. Added "Get-HawkTenantDomainActivity" function - This function will pull domain config changes from the UAL
-d. Added "Get-HawkTenantEDiscoveryLogs" function - This function will pull EDiscovery logs from the UAL
-e. Added Export of JSON to "Out-Multifileype" function. This will export returned results to JSON file for further ingestion into a SIEM or other data analysis platform
-f. Remove MSOnline requirements
-g. Added MS Graph requirements to replace MSOnline
-h. Fixed path for System.Net.IPNetwork.dll
+- Updated community pull requests fixing typo
+- Updated Get-HawkTenantAuditLog.ps1 to Get-HawkTenantAppAuditLog.ps1
+- Added "Get-HawkTenantDomainActivity" function - This function will pull domain config changes from the UAL
+- Added "Get-HawkTenantEDiscoveryLogs" function - This function will pull EDiscovery logs from the UAL
+- Added Export of JSON to "Out-Multifileype" function. This will export returned results to JSON file for further ingestion into a SIEM or other data analysis platform
+- Remove MSOnline requirements
+- Added MS Graph requirements to replace MSOnline
+- Fixed path for System.Net.IPNetwork.dll
+
+## 3.1.1 (2024-10-24)
+
+- Removed Cloud Connect references
+- Removed Zipcode from Get-HawkUserAuthHistory.ps1 - IPStack doesn't retrieve Zipcode
+- Removed Continent Code from Get-IPGeoLocation
+- Removed Test-MSOnlineConnection.ps1 - MSOnline requirements have been removed from Hawk
+- Added logging filepath checking the Start-HawkUserInvestigation.ps1
+- Updated Get-HawkTenantAZAdmins.ps1. Removed AzureAD module. Added MS Graph cmdlets.
+- Updated contact email

Hawk/functions/Tenant/Get-HawkTenantAZAdmins.ps1

@@ -22,21 +22,28 @@ BEGIN{
     Out-LogFile "Gathering Azure AD Administrators"
 
     Test-AzureADConnection
-    Send-AIEvent -Event "CmdRun"
 }
 PROCESS{
-    $roles = foreach ($role in Get-AzureADDirectoryRole){
-        $admins = (Get-AzureADDirectoryRoleMember -ObjectId $role.objectid).userprincipalname
+    $roles = foreach ($role in Get-MgDirectoryRole){
+        $admins = (Get-MGDirectoryRoleMember -DirectoryRoleId $role.id)
             if ([string]::IsNullOrWhiteSpace($admins)) {
                 [PSCustomObject]@{
                     AdminGroupName = $role.DisplayName
                     Members = "No Members"
                 }
             }
         foreach ($admin in $admins){
-            [PSCustomObject]@{
-                AdminGroupName = $role.DisplayName
-                Members = $admin
+            if($admin.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.user"){
+                [PSCustomObject]@{
+                    AdminGroupName = $role.DisplayName
+                    Members = $admin.AdditionalProperties.userPrincipalName
+                }
+            }
+            else{
+                [PSCustomObject]@{
+                    AdminGroupName = $role.DisplayName
+                    Members = $admin.AdditionalProperties.displayName
+                }
             }
         }
     }

Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetails.ps1

@@ -26,9 +26,9 @@ BEGIN{
     Test-AzureADConnection
 
     Out-LogFile "Collecting Azure AD Service Principals"
-    $spns = get-azureadserviceprincipal -all $true | Sort-Object -Property DisplayName
+    $spns = Get-MgServicePrincipal -all | Sort-Object -Property DisplayName
     Out-LogFile "Collecting Azure AD Registered Applications"
-    $apps = Get-AzureADApplication -all $true | Sort-Object -Property DisplayName
+    $apps = Get-MgApplication -all $true | Sort-Object -Property DisplayName
 }
 
 PROCESS{

Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1

@@ -0,0 +1,52 @@
+Function Get-HawkTenantAuditLog{
+<#
+.SYNOPSIS
+Retrieves all Azure AD audit logs for a specified tenant and exports them to a CSV file.
+
+.DESCRIPTION
+The Get-HawkTenantAuditLogs function retrieves all Azure AD audit logs for a specified tenant using the Microsoft Graph API. The audit logs are then exported to a CSV file using the Out-MultipleFileType function from the Hawk module.
+
+.EXAMPLE
+PS C:\> Get-HawkTenantAuditLogs
+
+This example retrieves all Azure AD audit logs for the "contoso.onmicrosoft.com" tenant and exports them to a CSV file.
+
+.NOTES
+This function requires the Microsoft Graph PowerShell module and the Hawk module to be installed. You can install these modules using the following commands:
+
+Install-Module -Name Microsoft.Graph
+Install-Module -Name Hawk
+
+.LINK
+https://docs.microsoft.com/en-us/graph/api/resources/auditlog?view=graph-rest-1.0
+
+#>
+BEGIN{
+    #Initializing Hawk Object if not present
+    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+        Initialize-HawkGlobalObject
+    }
+    Out-LogFile "Gathering Azure AD Audit Logs events"
+}
+PROCESS{
+        $auditLogsResponse = Get-MgAuditLogDirectoryAudit -All
+        foreach ($auditLog in $auditLogsResponse) {
+            $auditLogs += [PSCustomObject]@{
+                Id = $auditLog.Id
+                Category = $auditLog.Category
+                Result = $auditLog.Result
+                ResultReason = $auditLog.ResultReason
+                ActivityDisplayName = $auditLog.ActivityDisplayName
+                ActivityDateTime = $auditLog.ActivityDateTime
+                Target = $auditLog.TargetResources[0].DisplayName
+                Type = $auditLog.Target.TargetResources[0].Type
+                UserPrincipalName = $auditLog.TargetResources[0].UserPrincipalName
+                UserType = $auditLog.UserType
+            }
+        }
+    }
+    END{
+        $auditLogs | Sort-Object -Property ActivityDateTime | Out-MultipleFileType -FilePrefix "AzureADAuditLog" -csv -json
+        Out-Logfile "Completed exporting Azure AD audit logs"
+    }
+}

Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1

@@ -43,7 +43,6 @@
     }
 
     Test-EXOConnection
-    Send-AIEvent -Event "CmdRun"
 
     # Setup inial start and end time for the search
     [datetime]$CurrentStart = $StartDate

Hawk/functions/Tenant/Get-HawkTenantAzureADUsers.ps1

@@ -23,20 +23,18 @@ BEGIN{
     Out-LogFile "Gathering Azure AD Users"
 
     Test-AzureADConnection
-    Send-AIEvent -Event "CmdRun"
 
 }#End BEGIN
 PROCESS{
-    $users = foreach ($user in (Get-AzureADUser -All $True)){
-        $userproperties = $user | Select-Object userprincipalname, objectid, usertype, userstatechangedon, DirSyncEnabled, ExtensionProperty
+    $users = foreach ($user in (Get-MGUser -All $True)){
+        $userproperties = $user | Select-Object userprincipalname, id, usertype, CreatedDateTime, AccountEnabled
             foreach ($properties in $userproperties){
                 [PSCustomObject]@{
                 UserPrincipalname = $userproperties.userprincipalname
-                ObjectID = $userproperties.objectid
+                ObjectID = $userproperties.id
                 UserType = $userproperties.UserType
-                DateCreated = $userproperties.ExtensionProperty.createdDateTime
-                UserStateChangedOn = $userproperties.UserStateChangedOn
-                DirSyncEnabled = $userproperties.DirSyncEnabled
+                DateCreated = $userproperties.createdDateTime
+                AccountEnabled = $userproperties.AccountEnabled
                 }
             }
     }
@@ -47,4 +45,5 @@ END{
 }#End END
 
 
-}#End Function
+}#End Function
+

Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1

@@ -19,10 +19,16 @@
 
 	Runs all of the tenant investigation cmdlets.
 #>
+Begin {
+	#Initializing Hawk Object if not present
+	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+		Initialize-HawkGlobalObject
+	}
+	Out-LogFile "Gathering Tenant information" -Action
+	Test-EXOConnection
+}#End BEGIN
 
-Test-EXOConnection
-Send-AIEvent -Event "CmdRun"
-
+PROCESS{
 # Make sure our variables are null
 $AzureApplicationActivityEvents = $null
 
@@ -59,4 +65,8 @@ else {
 			| Out-MultipleFileType -fileprefix "Azure_Application_Audit" -csv -json -append
 	}
 }
+}#End PROCESS
+END{
+Out-LogFile "Completed gathering Tenant App Audit Logs" -Action
+}#End END
 }

Hawk/functions/Tenant/Search-HawkTenantEXOAuditLog.ps1

@@ -85,7 +85,7 @@ Function Search-HawkTenantEXOAuditLog {
 
     # Search for the creation of ANY inbox rules
     Out-LogFile "Searching for ALL Inbox Rules Created in the Shell" -action
-    [array]$TenantInboxRules = Search-AdminAuditLog -Cmdlets New-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate
+    [array]$TenantInboxRules = Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations New-InboxRule -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate
 
     # If we found anything report it and log it
     if ($TenantInboxRules.count -gt 0) {

Hawk/functions/User/Get-HawkUserAuthHistory.ps1

@@ -93,6 +93,7 @@
 
             # Add IP Geo Location information to the data
             if ($ResolveIPLocations) {
+                Out-File "Resolving IP Locations"
                 # Setup our counter
                 $i = 0
 
@@ -113,7 +114,7 @@
                     }
 
                     # Combine the connection object and the location object so that we have a single output ready
-                    $ExpandedUserLogonLogs.item($i) = ($ExpandedUserLogonLogs.item($i) | Select-Object -Property *, @{Name = "CountryName"; Expression = { $Location.CountryName } }, @{Name = "RegionCode"; Expression = { $Location.RegionCode } }, @{Name = "RegionName"; Expression = { $Location.RegionName } }, @{Name = "City"; Expression = { $Location.City } }, @{Name = "ZipCode"; Expression = { $Location.ZipCode } }, @{Name = "KnownMicrosoftIP"; Expression = { $Location.KnownMicrosoftIP } })
+                    $ExpandedUserLogonLogs.item($i) = ($ExpandedUserLogonLogs.item($i) | Select-Object -Property *, @{Name = "CountryName"; Expression = { $Location.CountryName } }, @{Name = "RegionCode"; Expression = { $Location.RegionCode } }, @{Name = "RegionName"; Expression = { $Location.RegionName } }, @{Name = "City"; Expression = { $Location.City } }, @{Name = "KnownMicrosoftIP"; Expression = { $Location.KnownMicrosoftIP } })
 
                     # increment our counter for the progress bar
                     $i++

Hawk/functions/User/Start-HawkUserInvestigation.ps1

@@ -38,6 +38,10 @@ Function Start-HawkUserInvestigation {
         [Parameter(Mandatory = $true)]
         [array]$UserPrincipalName
     )
+	#Checking to see if Logging filepath is set
+	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+		Initialize-HawkGlobalObject
+	}
 
     Out-LogFile "Investigating Users"
     Send-AIEvent -Event "CmdRun"
@@ -65,7 +69,7 @@ Function Start-HawkUserInvestigation {
 
         Out-LogFile "Running Get-HawkUserAuthHistory" -action
         Get-HawkUserAuthHistory -User $user -ResolveIPLocations
-		
+
         Out-LogFile "Running Get-HawkUserMailboxAuditing" -action
         Get-HawkUserMailboxAuditing -User $User
 

Hawk/internal/configurations/configuration.ps1

@@ -14,7 +14,7 @@ Set-PSFConfig -Module 'Hawk' -Name 'Example.Setting' -Value 10 -Initialize -Vali
 Set-PSFConfig -Module 'Hawk' -Name 'Import.DoDotSource' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be dotsourced on import. By default, the files of this module are read as string value and invoked, which is faster but worse on debugging."
 Set-PSFConfig -Module 'Hawk' -Name 'Import.IndividualFiles' -Value $false -Initialize -Validation 'bool' -Description "Whether the module files should be imported individually. During the module build, all module code is compiled into few files, which are imported instead by default. Loading the compiled versions is faster, using the individual files is easier for debugging and testing out adjustments."
 
-Set-PSFConfig -Module 'Hawk' -Name 'DaysToLookBack' -Value 90 -Initialize -Validation integerpositive -Description 'How long into the past will the project look'
+#Set-PSFConfig -Module 'Hawk' -Name 'DaysToLookBack' -Value 90 -Initialize -Validation integerpositive -Description 'How long into the past will the project look'
 
 $handler = {
 	$paramSetPSFLoggingProvider = @{
@@ -29,4 +29,4 @@ $handler = {
 
 	Set-PSFLoggingProvider @paramSetPSFLoggingProvider
 }
-Set-PSFConfig -Module 'Hawk' -Name "FilePath" -Value '' -Initialize -Validation string -Handler $handler -Description 'Path where the module maintains logs and export data'
+Set-PSFConfig -Module 'Hawk' -Name "FilePath" -Value '' -Initialize -Validation string -Handler $handler -Description 'Path where the module maintains logs and exports data'

Hawk/internal/functions/Get-IPGeolocation.ps1

@@ -53,7 +53,8 @@ Function Get-IPGeolocation {
                 $hash = @{
                 IP               = $IPAddress
                 CountryName      = "NULL IP"
-                Continent        = "Unknown"
+                RegionName       = "Unknown"
+                RegionCode       = "Unknown"
                 ContinentName    = "Unknown"
                 City             = "Unknown"
                 KnownMicrosoftIP = "Unknown"
@@ -73,24 +74,28 @@ Function Get-IPGeolocation {
             $hash = @{
                 IP               = $IPAddress
                 CountryName      = "Failed to Resolve"
-                Continent        = "Unknown"
+                RegionName       = "Unknown"
+                RegionCode       = "Unknown"
                 ContinentName    = "Unknown"
                 City             = "Unknown"
                 KnownMicrosoftIP = "Unknown"
             }
         }
         else {
             # Determine if this IP is known to be owned by Microsoft
-            [string]$isMSFTIP = Test-MicrosoftIP -IP $IPAddress -type $geoip.type
-
+            [string]$isMSFTIP = Test-MicrosoftIP -IPToTest $IPAddress -type $geoip.type
+            if ($isMSFTIP){
+                $MSFTIP =  $isMSFTIP
+            }
             # Push return into a response object
             $hash = @{
                 IP               = $geoip.ip
                 CountryName      = $geoip.country_name
-                Continent        = $geoip.continent_code
                 ContinentName    = $geoip.continent_name
+                RegionName       = $geoip.region_name
+                RegionCode       = $geoip.region_code
                 City             = $geoip.City
-                KnownMicrosoftIP = $isMSFTIP
+                KnownMicrosoftIP = $MSFTIP
             }
             $result = New-Object PSObject -Property $hash
         }

Hawk/internal/functions/Initialize-HawkGlobalObject.ps1

@@ -222,7 +222,7 @@
         $Output =$notification.Popup("Hawk has been updated to support MGGraph due to MSONLINE deprecation. Please click OK to continue", 0, "Hawk Update", 0x00000040)
         Write-Information "Testing Graph Connection"
         Test-GraphConnection
-        
+
         # If the global variable Hawk doesn't exist or we have -force then set the variable up
         Write-Information "Setting Up initial Hawk environment variable"
 

Hawk/internal/functions/Test-EXOConnection.ps1

@@ -21,7 +21,7 @@ Function Test-EXOConnection {
     catch [System.Management.Automation.CommandNotFoundException] {
         # Connect to EXO if we couldn't find the command
         Out-LogFile "Not Connected to Exchange Online"
-        Out-LogFile "Connecting to EXO using CloudConnect Module"
+        Out-LogFile "Connecting to EXO using Exchange Online Module"
         Connect-ExchangeOnline
     }
 }