Merge pull request #247 from T0pCyber/feature/187-dc-4-collect-graph-…

…activity-logs

Feature/187 dc 4 collect graph activity logs

Hawk/Hawk.psd1

@@ -56,7 +56,7 @@
 	'Get-HawkTenantConsentGrant',
 	'Get-HawkTenantRBACChange',
 	'Get-HawkTenantAzureAppAuditLog',
-	'Get-HawkUserAuthHistory',
+	'Get-HawkUserUALSignInLog',
 	'Get-HawkUserConfiguration',
 	'Get-HawkUserEmailForwarding',
 	'Get-HawkUserInboxRule',
@@ -72,7 +72,6 @@
 	'Start-HawkUserInvestigation',
 	'Update-HawkModule',
 	'Get-HawkUserAdminAudit',
-	'Get-HawkTenantAuditLog',
 	'Get-HawkTenantAuthHistory',
 	'Get-HawkUserHiddenRule',
 	'Get-HawkMessageHeader',
@@ -90,7 +89,13 @@
 	'Get-HawkTenantAppAndSPNCredentialDetail',
 	'Get-HawkTenantEntraIDUser',
 	'Get-HawkTenantDomainActivity',
-	'Get-HawkTenantEDiscoveryLog'
+	'Get-HawkTenantEDiscoveryLog',
+	'Get-HawkUserSharePointSearchQuery',
+	'Get-HawkUserEntraIDSignInLog',
+	'Get-HawkTenantEntraIDAuditLog',
+	'Get-HawkTenantRiskyUsers',
+	'Get-HawkTenantRiskDetections',
+	'Get-HawkTenantRiskyServicePrincipals'
 
 	# Cmdlets to export from this module
 	# CmdletsToExport = ''

Hawk/changelog.md

@@ -97,7 +97,13 @@
 - Added ability to expand search up to 365 days
 - Added search of mail items accessed to the User Investigation (Get-HawkUserMailItemsAccessed)
 - Add ability to pass command line arguments to Start-HawkUserInvestigation and Start-HawkTenantInvestigation
+- Created Get-HawkUserEntraIDSignInLog, providing the ability to collect user specific Entra Sign in logs and flag on high / medium risk sign ins
+- Created Get-HawkTenantEntraIDAuditLog function, providing the ability to collect the Entra ID Audit log of the defined max of 30 days back from the current date.
+- Created Get-HawkTenantRiskyUsers function to retrieve and analyze users flagged as risky in Microsoft Entra ID.
+- Created Get-HawkTenantRiskDetections function to retrieve and summarize risk detection events from Microsoft Entra ID.
+- Created Get-HawkTenantRiskyServicePrincipals function, providing the ability to retrive and analyst users flagged as risky in Microsoft Entra ID.
 - Added search of Exchange Search Queries to the User Investigation (Get-HawkUserExchangeSearchQuery)
 - Implemented check to verify that an Exchange operation is enabled for auditing before attempting to pull logs
 - Added log pull of user Send activity to the User Investigation (Get-HawkUserMailSendActivity)
 - Added log pull of user SharePoint Search activity to the User Investigation (Get-HawkUserSharePointSearchQuery)
+

Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1

@@ -20,41 +20,21 @@
 	Path: \
 	Description: Output of Get-AdminAuditlogConfig
 
-	File: AdminAuditLogConfig.xml
-	Path: \XML
-	Description: Output of Get-AdminAuditlogConfig as CLI XML
-
 	File: OrgConfig.txt
 	Path: \
 	Description: Output of Get-OrganizationConfig
 
-	File: OrgConfig.xml
-	Path: \XML
-	Description: Output of Get-OrganizationConfig as CLI XML
-
 	File: RemoteDomain.txt
 	Path: \
 	Description: Output of Get-RemoteDomain
 
-	File: RemoteDomain.xml
-	Path: \XML
-	Description: Output of Get-RemoteDomain as CLI XML
-
 	File: TransportRules.txt
 	Path: \
 	Description: Output of Get-TransportRule
 
-	File: TransportRules.xml
-	Path: \XML
-	Description: Output of Get-TransportRule as CLI XML
-
 	File: TransportConfig.txt
 	Path: \
 	Description: Output of Get-TransportConfig
-
-	File: TransportConfig.xml
-	Path: \XML
-	Description: Output of Get-TransportConfig as CLI XML
 .NOTES
 	TODO: Put in some analysis ... flag some key things that we know we should
 #>
@@ -72,17 +52,17 @@
     Out-LogFile "Gathering Tenant Configuration Information" -action
 
     Out-LogFile "Gathering Admin Audit Log" -action
-    Get-AdminAuditLogConfig | Out-MultipleFileType -FilePrefix "AdminAuditLogConfig" -txt -xml
+    Get-AdminAuditLogConfig | Out-MultipleFileType -FilePrefix "AdminAuditLogConfig" -txt
 
     Out-LogFile "Gathering Organization Configuration" -action
-    Get-OrganizationConfig| Out-MultipleFileType -FilePrefix "OrgConfig" -xml -txt
+    Get-OrganizationConfig| Out-MultipleFileType -FilePrefix "OrgConfig" -txt
 
     Out-LogFile "Gathering Remote Domains" -action
-    Get-RemoteDomain | Out-MultipleFileType -FilePrefix "RemoteDomain" -xml -csv -json
+    Get-RemoteDomain | Out-MultipleFileType -FilePrefix "RemoteDomain" -csv -json
 
     Out-LogFile "Gathering Transport Rules" -action
-    Get-TransportRule | Out-MultipleFileType -FilePrefix "TransportRules" -xml -csv -json
+    Get-TransportRule | Out-MultipleFileType -FilePrefix "TransportRules" -csv -json
 
     Out-LogFile "Gathering Transport Configuration" -action
-    Get-TransportConfig | Out-MultipleFileType -FilePrefix "TransportConfig" -xml -csv -json
+    Get-TransportConfig | Out-MultipleFileType -FilePrefix "TransportConfig" -csv -json
 }

Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1

@@ -18,7 +18,7 @@
         Get-HawkTenantEDiscoveryLog
 
         This will search for all eDiscovery-related activities in the Unified Audit Log
-        for the configured time period and export the results to CSV format.
+        for the configured time period and export the results to CSV and JSON formats.
 
     .EXAMPLE
         $logs = Get-HawkTenantEDiscoveryLog
@@ -28,7 +28,11 @@
         operations like new search creation.
 
     .OUTPUTS
-        File: eDiscoveryLogs.csv
+        File: Simple_eDiscoveryLogs.csv/.json
+        Path: \Tenant
+        Description: Simplified view of eDiscovery activities.
+
+        File: eDiscoveryLogs.csv/.json
         Path: \Tenant
         Description: Contains all eDiscovery activities found in the UAL with fields for:
         - CreationTime: When the activity occurred
@@ -40,45 +44,36 @@
         - CaseId: Unique identifier for the eDiscovery case
         - Cmdlet: Command that was executed (if applicable)
     #>
-    # Search UAL audit logs for any Domain configuration changes
-
     # Check if Hawk object exists and is fully initialized
     if (Test-HawkGlobalObject) {
         Initialize-HawkGlobalObject
     }
 
-
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 
     Out-LogFile "Gathering any eDiscovery logs" -action
 
-    # Search UAL audit logs for any Domain configuration changes
+    # Search UAL audit logs for any eDiscovery activities
     $eDiscoveryLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'Discovery'")
-    # If null we found no changes to nothing to do here
+
     if ($null -eq $eDiscoveryLogs) {
         Out-LogFile "Get-HawkTenantEDiscoveryLog completed successfully" -Information
         Out-LogFile "No eDiscovery Logs found" -Action
     }
-
-    # If not null then we must have found some events so flag them
     else {
-        Out-LogFile "eDiscovery Log have been found." -Notice
+        Out-LogFile "eDiscovery Logs have been found." -Notice
         Out-LogFile "Please review these eDiscoveryLogs.csv to validate the activity is legitimate." -Notice
-        # Go thru each even and prepare it to output to CSV
-        Foreach ($log in $eDiscoveryLogs) {
-            $log1 = $log.auditdata | ConvertFrom-Json
-            $report = $log1  | Select-Object -Property CreationTime,
-            Id,
-            Operation,
-            Workload,
-            UserID,
-            Case,
-            @{Name = 'CaseID'; Expression = { ($_.ExtendedProperties | Where-Object { $_.Name -eq 'CaseId' }).value } },
-            @{Name = 'Cmdlet'; Expression = { ($_.Parameters | Where-Object { $_.Name -eq 'Cmdlet' }).value } }
 
-            $report | Out-MultipleFileType -fileprefix "eDiscoveryLogs" -csv -append
+        # Process and output both simple and detailed formats
+        $ParsedLogs = $eDiscoveryLogs | Get-SimpleUnifiedAuditLog
+        if ($ParsedLogs) {
+            Out-LogFile "Writing parsed eDiscovery log data" -Action
+            $ParsedLogs | Out-MultipleFileType -FilePrefix "Simple_eDiscoveryLogs" -csv -json
+            $eDiscoveryLogs | Out-MultipleFileType -FilePrefix "eDiscoveryLogs" -csv -json
+        }
+        else {
+            Out-LogFile "Error: Failed to parse eDiscovery log data" -isError
         }
-
     }
-}
+}

Hawk/functions/Tenant/Get-HawkTenantEntraIDAuditLog.ps1

@@ -0,0 +1,99 @@
+Function Get-HawkTenantEntraIDAuditLog {
+    <#
+    .SYNOPSIS
+        Retrieves Microsoft Entra ID audit logs using Microsoft Graph API.
+    
+    .DESCRIPTION
+        This function queries the Microsoft Graph API to retrieve Entra ID audit logs. Due to 
+        API limitations, it can only retrieve logs for the past 30 days from the current date,
+        regardless of the date range configured in Hawk.
+
+        The function will warn if the configured Hawk date range extends beyond the available
+        30-day window, but will still retrieve all available logs within the allowed period.
+
+        All retrieved audit log entries are exported in both CSV and JSON formats without
+        any filtering or modification.
+
+    .OUTPUTS
+        File: EntraIDAuditLogs.csv
+        Path: \Tenant
+        Description: Complete Entra ID audit log entries from the last 30 days in CSV format
+
+        File: EntraIDAuditLogs.json
+        Path: \Tenant
+        Description: Complete Entra ID audit log entries from the last 30 days in JSON format
+
+    .EXAMPLE
+        Get-HawkTenantEntraIDAuditLog
+
+        Retrieves all available Entra ID audit logs from the past 30 days, regardless of
+        the date range configured in Hawk.
+
+    .NOTES
+        Author: Jonathan Butler
+        Version: 1.0
+        
+        Requires the following Microsoft Graph permissions:
+        - AuditLog.Read.All
+        - Directory.Read.All
+
+        IMPORTANT: The Microsoft Graph API for directory audit logs has a strict 30-day
+        lookback limit from the current date. Any configured date ranges in Hawk that
+        extend beyond this window will be noted, but the function will still retrieve
+        all available logs within the allowed 30-day period.
+
+    .LINK 
+        https://learn.microsoft.com/en-us/graph/api/directoryaudit-list
+    #>
+    [CmdletBinding()]
+    param()
+
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+    Test-GraphConnection
+    Send-AIEvent -Event "CmdRun"
+
+    Out-LogFile "Gathering Entra ID audit log" -Action
+
+    # Create tenant folder if it doesn't exist
+    $TenantPath = Join-Path -Path $Hawk.FilePath -ChildPath "Tenant"
+    if (-not (Test-Path -Path $TenantPath)) {
+        New-Item -Path $TenantPath -ItemType Directory -Force | Out-Null
+    }
+
+    try {
+        # Calculate 30 days ago from current date
+        $thirtyDaysAgo = (Get-Date).AddDays(-30).Date 
+
+        # Warn if Hawk date range extends beyond available window
+        if ($Hawk.StartDate -lt $thirtyDaysAgo) {
+            Out-LogFile "Note: Entra ID audit logs are only available for the past 30 days. Earlier dates will be ignored." -Information
+        }
+
+        # Build filter string using 30-day limit
+        $filterString = "activityDateTime ge $($thirtyDaysAgo.ToString('yyyy-MM-ddTHH:mm:ssZ')) and activityDateTime le $((Get-Date).ToString('yyyy-MM-ddTHH:mm:ssZ'))"
+
+        Out-LogFile "Retrieving audit logs for the past 30 days" -Action
+
+        # Get all audit logs for the date range
+        [array]$auditLogs = Get-MgAuditLogDirectoryAudit -Filter $filterString -All
+
+        if ($auditLogs.Count -gt 0) {
+            Out-LogFile ("Found " + $auditLogs.Count + " audit log entries") -Information
+
+            # Export the complete objects to both CSV and JSON
+            $auditLogs | Out-MultipleFileType -FilePrefix "EntraIDAuditLogs" -csv -json
+        }
+        else {
+            Out-LogFile "Get-HawkTenantEntraIDAuditLog completed successfully" -Information
+            Out-LogFile "No audit logs found for the specified time period" -Action
+        }
+    }
+    catch {
+        Out-LogFile "Error retrieving Entra ID audit logs: $($_.Exception.Message)" -isError
+        Write-Error -ErrorRecord $_ -ErrorAction Continue
+    }
+}