Hawk is a free, open-source PowerShell application that streamlines the collection of forensic data from Microsoft cloud environments. Designed primarily for security professionals, incident responders, and administrators, Hawk automates the gathering of critical log data across Microsoft services, with a focus on Microsoft 365 (M365) and Microsoft Entra ID.
The tool's primary function is to efficiently collect and export comprehensive log data that would otherwise require multiple manual queries across different web interfaces. Hawk streamlines data collection compared to manually running individual queries through these interfaces, freeing up those resources for other administrative tasks.
While Hawk includes basic analysis capabilities to flag potential items of interest (such as suspicious mail forwarding rules, over-privileged applications, or risky user activities), it is fundamentally a data collection tool rather than an automated threat detection system.
Hawk offers two main "investigation" approaches, Tenant and User investigations, each with dedicated cmdlets. These two workflows complement each other - start broad with tenant investigations to identify areas of concern, then drill down with focused user investigations where needed.
Examines broader Microsoft Cloud tenant settings, audit logs, security configurations, and domain activities. This investigation type is faster to execute and provides an excellent starting point by identifying suspicious patterns, administrative changes, and potential security issues across your entire environment. Use this to quickly spot anomalies that may require deeper investigation.
Performs deep-dive analysis into individual user accounts, mailbox configurations, inbox rules, and login histories. While more time-intensive due to the depth of data collection, these investigations are crucial when examining potentially compromised accounts or investigating suspicious email behavior. User investigations pull detailed historical data and are particularly valuable after a tenant investigation has identified accounts of interest.
Hawk provides flexible execution options to suit different operational needs:
When run without parameters, Hawk operates in interactive mode, guiding you through the investigation process:
For automated operations or scripted tasks, Hawk accepts command-line parameters:
Beyond full investigations, any Hawk cmdlet can be run independently:
Hawk organizes investigation results into a structured directory hierarchy, with separate folders for tenant-wide and user-specific data. All outputs are designed to support both human analysis and automated processing.
📂 [Investigation Root] ├── 📂 Tenant/ │ ├── AdminAuditLogConfig.csv │ ├── OrgConfig.csv │ ├── _Investigate_*.csv │ └── [other tenant files] ├── 📂 [user1@domain.com]/ │ ├── Mailbox_Info.csv │ ├── InboxRules.csv │ ├── _Investigate_*.csv │ └── [other user files] └── 📂 [user2@domain.com]/ └── [similar structure]
Hawk exports data in multiple formats to support different analysis workflows:
Files prefixed with "_Investigate_" contain potentially suspicious findings that warrant further review. These files highlight activities or configurations that could indicate security concerns. The upcoming Tenant Investigation and User Investigation sections provide detailed documentation on which functions generate these investigation flags and how to interpret their findings effectively.
Many Hawk functions retrieve data from the Unified Audit Log, which contains complex nested JSON structures that can be difficult to analyze in spreadsheet applications. To make this data more accessible, Hawk provides two views of the same data:
Prepare for flight by installing Hawk with ease.