Today, we're excited to announce the release of Hawk 4.0, our most significant update yet. Over the past year, our community has provided invaluable feedback about our investigation workflows, the demand for retrieving a wider set of logs across Microsoft 365, as well as expanding coverage for Microsoft Entra ID logs. We've listened carefully and rebuilt core components of Hawk to create a more powerful, efficient, and user-friendly forensics tool.
This release represents a major milestone in Hawk's evolution, introducing extended search capabilities that unlock historical data access up to 365 days - a dramatic improvement from previous limitations. We've introduced a 'non-interactive' mode via command-line parameters, allowing seamless automation with Hawk, while adding investigative detection features that help identify potential security threats better than ever before.
Expanded User Investigation Capabilities
At the core of Hawk 4.0 are extensive additions to user investigation capabilities, providing deeper visibility into user activities across Microsoft 365 services. We've added the collection of several new M365 log sources and enhanced our analysis capabilities to help identify suspicious patterns more effectively. While these new capabilities are built into Start-HawkUserInvestigation, each function can also be run independently for targeted analysis.
- Enhanced Exchange Log Visibility:
- Retrieve detailed message sending activity from Exchange 'Send' logs
- Collect email access logs (MailItemsAccessed) to detect unauthorized message access and retrieval
- New Hawk Cmdlets:
- Get-HawkUserMailSendActivity
- Get-HawkUserMailItemsAccessed
- Detect M365 Reconnaissance Activities:
- Monitor Exchange search activity with SearchQueryInitiatedExchange logs
- Track SharePoint document searches using SearchQueryInitiatedSharePoint logs
- New Hawk Cmdlets:
- Get-HawkUserExchangeSearchQuery
- Get-HawkUserSharePointSearchQuery
Enhanced Microsoft Entra ID Visibility
Hawk 4.0 significantly expands our Microsoft Entra ID coverage, introducing new cmdlets for comprehensive identity security analysis and risk detection. These tools help identify compromised accounts and suspicious application access.
- Sign-in Analysis: Get-HawkUserEntraIDSignInLog for detailed authentication logs in Entra ID
- Risk Detection: New Hawk cmdlets for analyzing user, service principal, and overall tenant risk:
- Get-HawkTenantRiskyUsers
- Get-HawkTenantRiskDetections
- Audit Coverage: 30-day comprehensive Entra ID audit log visibility via Get-HawkTenantEntraIDAuditLog
- Application Analysis: Enhanced detection of broad-scope, high-risk, and extremely dangerous permissions granted to applications.
Investigation Workflow Improvements
We've streamlined the investigation process with new automation capabilities and improved progress tracking, making Hawk more efficient for both interactive and automated use.
- Non-Interactive Mode:
- Command-line parameters for automated execution
- Support for scheduled tasks and workflow integration
- Configurable output paths and date ranges
- Enhanced Logging:
- Pre-execution validation of audit operations
- Standardized UTC timestamps across all outputs
- Standardized log status indicators (Information, Action, Notice, Error) for clearer operation tracking
- License Detection: Automatic detection of available retention periods and features
Ready to Update?
Explore the new features and help make Hawk even better.