Uncomment calls in user and tenant investigaiton

.gitignore

@@ -26,3 +26,6 @@ publish/*
 *.docx
 *.doc
 *.xlsx
+
+# Ignore this file if produced by developer when resolving IP locations
+Resolving IP Locations

Hawk/changelog.md

@@ -101,7 +101,7 @@
 - Created Get-HawkTenantEntraIDAuditLog function, providing the ability to collect the Entra ID Audit log of the defined max of 30 days back from the current date.
 - Created Get-HawkTenantRiskyUsers function to retrieve and analyze users flagged as risky in Microsoft Entra ID.
 - Created Get-HawkTenantRiskDetections function to retrieve and summarize risk detection events from Microsoft Entra ID.
-- Created Get-HawkTenantRiskyServicePrincipals function, providing the ability to retrive and analyst users flagged as risky in Microsoft Entra ID.
+- Created Get-HawkTenantRiskyServicePrincipals function, providing the ability to retrieve and analyst users flagged as risky in Microsoft Entra ID.
 - Added search of Exchange Search Queries to the User Investigation (Get-HawkUserExchangeSearchQuery)
 - Implemented check to verify that an Exchange operation is enabled for auditing before attempting to pull logs
 - Added log pull of user Send activity to the User Investigation (Get-HawkUserMailSendActivity)

Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1

@@ -145,101 +145,101 @@
         Out-LogFile "Starting Tenant Investigation" -action
         Send-AIEvent -Event "CmdRun"
 
-        # # Wrap operations in ShouldProcess checks
-        # if ($PSCmdlet.ShouldProcess("Tenant Configuration", "Get configuration data")) {
-        # 	Out-LogFile "Running Get-HawkTenantConfiguration" -action
-        # 	Get-HawkTenantConfiguration
-        # }
+        # Wrap operations in ShouldProcess checks
+        if ($PSCmdlet.ShouldProcess("Tenant Configuration", "Get configuration data")) {
+        	Out-LogFile "Running Get-HawkTenantConfiguration" -action
+        	Get-HawkTenantConfiguration
+        }
 
-        # if ($PSCmdlet.ShouldProcess("EDiscovery Configuration", "Get eDiscovery configuration")) {
-        # 	Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
-        # 	Get-HawkTenantEDiscoveryConfiguration
-        # }
+        if ($PSCmdlet.ShouldProcess("EDiscovery Configuration", "Get eDiscovery configuration")) {
+        	Out-LogFile "Running Get-HawkTenantEDiscoveryConfiguration" -action
+        	Get-HawkTenantEDiscoveryConfiguration
+        }
 
         if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Creation Audit Log", "Search Admin Inbox Rule Creation")) {
             Out-LogFile "Running Get-HawkTenantAdminInboxRuleCreation" -action
             Get-HawkTenantAdminInboxRuleCreation
         }
 
-        # if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Modification Audit Log", "Search Admin Inbox Rule Modification")) {
-        # 	Out-LogFile "Running Get-HawkTenantInboxRuleModification" -action
-        # 	Get-HawkTenantAdminInboxRuleModification
-        # }
+        if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Modification Audit Log", "Search Admin Inbox Rule Modification")) {
+        	Out-LogFile "Running Get-HawkTenantInboxRuleModification" -action
+        	Get-HawkTenantAdminInboxRuleModification
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Removal Audit Log", "Search Admin Inbox Rule Removal")) {
-        # 	Out-LogFile "Running Get-HawkTenantAdminInboxRuleRemoval" -action
-        # 	Get-HawkTenantAdminInboxRuleRemoval
-        # }
+        if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Removal Audit Log", "Search Admin Inbox Rule Removal")) {
+        	Out-LogFile "Running Get-HawkTenantAdminInboxRuleRemoval" -action
+        	Get-HawkTenantAdminInboxRuleRemoval
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Permission Change Audit Log", "Search Admin Inbox Permission Changes")) {
-        # 	Out-LogFile "Running Get-HawkTenantAdminMailboxPermissionChange" -action
-        # 	Get-HawkTenantAdminMailboxPermissionChange
-        # }
+        if ($PSCmdlet.ShouldProcess("Admin Inbox Rule Permission Change Audit Log", "Search Admin Inbox Permission Changes")) {
+        	Out-LogFile "Running Get-HawkTenantAdminMailboxPermissionChange" -action
+        	Get-HawkTenantAdminMailboxPermissionChange
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Admin Email Forwarding Change Change Audit Log", "Search Admin Email Forwarding Changes")) {
-        # 	Out-LogFile "Running Get-HawkTenantAdminEmailForwardingChange" -action
-        # 	Get-HawkTenantAdminEmailForwardingChange
-        # }
+        if ($PSCmdlet.ShouldProcess("Admin Email Forwarding Change Change Audit Log", "Search Admin Email Forwarding Changes")) {
+        	Out-LogFile "Running Get-HawkTenantAdminEmailForwardingChange" -action
+        	Get-HawkTenantAdminEmailForwardingChange
+        }
 
-        # if ($PSCmdlet.ShouldProcess("EDiscovery Logs", "Get eDiscovery logs")) {
-        # 	Out-LogFile "Running Get-HawkTenantEDiscoveryLog" -action
-        # 	Get-HawkTenantEDiscoveryLog
-        # }
+        if ($PSCmdlet.ShouldProcess("EDiscovery Logs", "Get eDiscovery logs")) {
+        	Out-LogFile "Running Get-HawkTenantEDiscoveryLog" -action
+        	Get-HawkTenantEDiscoveryLog
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Domain Activity", "Get domain activity")) {
-        # 	Out-LogFile "Running Get-HawkTenantDomainActivity" -action
-        # 	Get-HawkTenantDomainActivity
-        # }
+        if ($PSCmdlet.ShouldProcess("Domain Activity", "Get domain activity")) {
+        	Out-LogFile "Running Get-HawkTenantDomainActivity" -action
+        	Get-HawkTenantDomainActivity
+        }
 
-        # if ($PSCmdlet.ShouldProcess("RBAC Changes", "Get RBAC changes")) {
-        # 	Out-LogFile "Running Get-HawkTenantRBACChange" -action
-        # 	Get-HawkTenantRBACChange
-        # }
-
-        # if ($PSCmdlet.ShouldProcess("Entra ID Audit Log", "Get Entra ID audit logs")) {
-        # 	Out-LogFile "Running Get-HawkTenantEntraIDAuditLog" -action
-        # 	Get-HawkTenantEntraIDAuditLog
-        # }
+        if ($PSCmdlet.ShouldProcess("RBAC Changes", "Get RBAC changes")) {
+        	Out-LogFile "Running Get-HawkTenantRBACChange" -action
+        	Get-HawkTenantRBACChange
+        }
+
+        if ($PSCmdlet.ShouldProcess("Entra ID Audit Log", "Get Entra ID audit logs")) {
+        	Out-LogFile "Running Get-HawkTenantEntraIDAuditLog" -action
+        	Get-HawkTenantEntraIDAuditLog
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Azure App Audit Log", "Get app audit logs")) {
-        # 	Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
-        # 	Get-HawkTenantAzureAppAuditLog
-        # }
+        if ($PSCmdlet.ShouldProcess("Azure App Audit Log", "Get app audit logs")) {
+        	Out-LogFile "Running Get-HawkTenantAzureAppAuditLog" -action
+        	Get-HawkTenantAzureAppAuditLog
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Exchange Admins", "Get Exchange admin list")) {
-        # 	Out-LogFile "Running Get-HawkTenantEXOAdmin" -action
-        # 	Get-HawkTenantEXOAdmin
-        # }
+        if ($PSCmdlet.ShouldProcess("Exchange Admins", "Get Exchange admin list")) {
+        	Out-LogFile "Running Get-HawkTenantEXOAdmin" -action
+        	Get-HawkTenantEXOAdmin
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Consent Grants", "Get consent grants")) {
-        #     Out-LogFile "Running Get-HawkTenantConsentGrant" -action
-        #     Get-HawkTenantConsentGrant
-        # }
+        if ($PSCmdlet.ShouldProcess("Consent Grants", "Get consent grants")) {
+            Out-LogFile "Running Get-HawkTenantConsentGrant" -action
+            Get-HawkTenantConsentGrant
+        }
 
         if ($PSCmdlet.ShouldProcess("Risky Users", "Get Entra ID Risky Users")) {
             Out-LogFile "Running Get-HawkTenantRiskyUsers" -action
             Get-HawkTenantRiskyUsers
         }
 
-        # if ($PSCmdlet.ShouldProcess("Risk Detections", "Get Entra ID Risk Detections")) {
-        # 	Out-LogFile "Running Get-HawkTenantRiskDetections" -action
-        # 	Get-HawkTenantRiskDetections
-        # }
+        if ($PSCmdlet.ShouldProcess("Risk Detections", "Get Entra ID Risk Detections")) {
+        	Out-LogFile "Running Get-HawkTenantRiskDetections" -action
+        	Get-HawkTenantRiskDetections
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Entra ID Admins", "Get Entra ID admin list")) {
-        # 	Out-LogFile "Running Get-HawkTenantEntraIDAdmin" -action
-        # 	Get-HawkTenantEntraIDAdmin
-        # }
+        if ($PSCmdlet.ShouldProcess("Entra ID Admins", "Get Entra ID admin list")) {
+        	Out-LogFile "Running Get-HawkTenantEntraIDAdmin" -action
+        	Get-HawkTenantEntraIDAdmin
+        }
 
-        # if ($PSCmdlet.ShouldProcess("App and SPN Credentials", "Get credential details")) {
-        # 	Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetail" -action
-        # 	Get-HawkTenantAppAndSPNCredentialDetail
-        # }
+        if ($PSCmdlet.ShouldProcess("App and SPN Credentials", "Get credential details")) {
+        	Out-LogFile "Running Get-HawkTenantAppAndSPNCredentialDetail" -action
+        	Get-HawkTenantAppAndSPNCredentialDetail
+        }
 
-        # if ($PSCmdlet.ShouldProcess("Entra ID Users", "Get Entra ID user list")) {
-        # 	Out-LogFile "Running Get-HawkTenantEntraIDUser" -action
-        # 	Get-HawkTenantEntraIDUser
-        # }
+        if ($PSCmdlet.ShouldProcess("Entra ID Users", "Get Entra ID user list")) {
+        	Out-LogFile "Running Get-HawkTenantEntraIDUser" -action
+        	Get-HawkTenantEntraIDUser
+        }
 
     }
     end {

Hawk/functions/User/Start-HawkUserInvestigation.ps1

@@ -156,74 +156,74 @@
 			foreach ($Object in $UserArray) {
 				[string]$User = $Object.UserPrincipalName
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserConfiguration for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserConfiguration" -Action
-				# 	Get-HawkUserConfiguration -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserConfiguration for $User")) {
+					Out-LogFile "Running Get-HawkUserConfiguration" -Action
+					Get-HawkUserConfiguration -User $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserInboxRule for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserInboxRule" -Action
-				# 	Get-HawkUserInboxRule -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserInboxRule for $User")) {
+					Out-LogFile "Running Get-HawkUserInboxRule" -Action
+					Get-HawkUserInboxRule -User $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserEmailForwarding for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserEmailForwarding" -Action
-				# 	Get-HawkUserEmailForwarding -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserEmailForwarding for $User")) {
+					Out-LogFile "Running Get-HawkUserEmailForwarding" -Action
+					Get-HawkUserEmailForwarding -User $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserAutoReply for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserAutoReply" -Action
-				# 	Get-HawkUserAutoReply -User $User
-				# }
-
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserEntraIDSignInLog for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserEntraIDSignInLog" -Action
-				# 	Get-HawkUserEntraIDSignInLog -UserPrincipalName $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserAutoReply for $User")) {
+					Out-LogFile "Running Get-HawkUserAutoReply" -Action
+					Get-HawkUserAutoReply -User $User
+				}
+
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserEntraIDSignInLog for $User")) {
+					Out-LogFile "Running Get-HawkUserEntraIDSignInLog" -Action
+					Get-HawkUserEntraIDSignInLog -UserPrincipalName $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserUALSignInLog for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserUALSignInLog" -Action
-				# 	Get-HawkUserUALSignInLog -User $User -ResolveIPLocations
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserUALSignInLog for $User")) {
+					Out-LogFile "Running Get-HawkUserUALSignInLog" -Action
+					Get-HawkUserUALSignInLog -User $User -ResolveIPLocations
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailboxAuditing for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserMailboxAuditing" -Action
-				# 	Get-HawkUserMailboxAuditing -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailboxAuditing for $User")) {
+					Out-LogFile "Running Get-HawkUserMailboxAuditing" -Action
+					Get-HawkUserMailboxAuditing -User $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserAdminAudit for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserAdminAudit" -Action
-				# 	Get-HawkUserAdminAudit -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserAdminAudit for $User")) {
+					Out-LogFile "Running Get-HawkUserAdminAudit" -Action
+					Get-HawkUserAdminAudit -User $User
+				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMessageTrace for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserMessageTrace" -Action
-				# 	Get-HawkUserMessageTrace -User $User
-				# }
-
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailItemsAccessed for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserMailItemsAccessed" -Action
-				# 	Get-HawkUserMailItemsAccessed -UserPrincipalName $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMessageTrace for $User")) {
+					Out-LogFile "Running Get-HawkUserMessageTrace" -Action
+					Get-HawkUserMessageTrace -User $User
+				}
+
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailItemsAccessed for $User")) {
+					Out-LogFile "Running Get-HawkUserMailItemsAccessed" -Action
+					Get-HawkUserMailItemsAccessed -UserPrincipalName $User
+				}
 				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserExchangeSearchQuery for $User")) {
 					Out-LogFile "Running Get-HawkUserExchangeSearchQuery" -Action
 					Get-HawkUserExchangeSearchQuery -UserPrincipalName $User
 				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailSendActivity for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserMailSendActivity" -Action
-				# 	Get-HawkUserMailSendActivity -UserPrincipalName $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMailSendActivity for $User")) {
+					Out-LogFile "Running Get-HawkUserMailSendActivity" -Action
+					Get-HawkUserMailSendActivity -UserPrincipalName $User
+				}
 
 				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserSharePointSearchQuery for $User")) {
 					Out-LogFile "Running Get-HawkUserSharePointSearchQuery" -Action
 					Get-HawkUserSharePointSearchQuery -UserPrincipalName $User
 				}
 
-				# if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMobileDevice for $User")) {
-				# 	Out-LogFile "Running Get-HawkUserMobileDevice" -Action
-				# 	Get-HawkUserMobileDevice -User $User
-				# }
+				if ($PSCmdlet.ShouldProcess("Running Get-HawkUserMobileDevice for $User")) {
+					Out-LogFile "Running Get-HawkUserMobileDevice" -Action
+					Get-HawkUserMobileDevice -User $User
+				}
 
 			}
 		}