Add test-hawkglobalobject function and have every public function cal…

…l it before executing to ensure that hawk global object is fully configured prior to hawk execution.
T0pCyber · Jan 11, 2025 · 74d10dd · 74d10dd
1 parent 70b992a
commit 74d10dd
Show file tree

Hide file tree

Showing 36 changed files with 314 additions and 152 deletions.
diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1
@@ -37,6 +37,11 @@ Function Get-HawkTenantAdminEmailForwardingChange {
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     # Test the Exchange Online connection to ensure the environment is ready for operations.
     Test-EXOConnection
     # Log the execution of the function for audit and telemetry purposes.

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1
@@ -42,6 +42,11 @@ Function Get-HawkTenantAdminInboxRuleCreation {
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1
@@ -45,6 +45,12 @@ Function Get-HawkTenantAdminInboxRuleModification {
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1
@@ -38,6 +38,11 @@ Function Get-HawkTenantAdminInboxRuleRemoval {
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminMailboxPermissionChange.ps1
@@ -29,6 +29,12 @@ Function Get-HawkTenantAdminMailboxPermissionChange {
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAppAndSPNCredentialDetail.ps1
@@ -23,7 +23,8 @@
     param()
 
     BEGIN {
-        if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+        # Check if Hawk object exists and is fully initialized
+        if (Test-HawkGlobalObject) {
             Initialize-HawkGlobalObject
         }
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAuditLog.ps1
@@ -22,10 +22,12 @@ https://docs.microsoft.com/en-us/graph/api/resources/auditlog?view=graph-rest-1.
 
 #>
 BEGIN{
-    #Initializing Hawk Object if not present
-    if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
         Initialize-HawkGlobalObject
     }
+
     Out-LogFile "Gathering Azure AD Audit Logs events" -Action
 }
 PROCESS{

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAuthHistory.ps1
@@ -27,15 +27,12 @@
         [int]$IntervalMinutes = 15
     )
 
-    # # Try to convert the submitted date into [datetime] format
-    # try {
-    #     [datetime]$DateToStartSearch = Get-Date $StartDate
-    # }
-    # catch {
-    #     Out-Logfile "[ERROR] - Unable to convert submitted date"
-    #     break
-    # }
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
 
+
     # Make sure the start date isn't more than 90 days in the past
     if ((Get-Date).adddays(-91) -gt $StartDate) {
         Out-Logfile "Start date is over 90 days in the past" -isError

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAzureAppAuditLog.ps1
@@ -21,9 +21,13 @@
 #>
 Begin {
 	#Initializing Hawk Object if not present
-	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
-		Initialize-HawkGlobalObject
-	}
+    # Check if Hawk object exists and is fully initialized
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
 	Out-LogFile "Gathering Tenant information" -Action
 	Test-EXOConnection
 }#End BEGIN

diff --git a/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1 b/Hawk/functions/Tenant/Get-HawkTenantConfiguration.ps1
@@ -58,6 +58,13 @@
 .NOTES
 	TODO: Put in some analysis ... flag some key things that we know we should
 #>
+
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
 	Test-EXOConnection
 	Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1 b/Hawk/functions/Tenant/Get-HawkTenantConsentGrant.ps1
@@ -25,6 +25,11 @@
     [CmdletBinding()]
     param()
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Out-LogFile "Gathering OAuth / Application Grants" -Action
 
     Test-GraphConnection

diff --git a/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1 b/Hawk/functions/Tenant/Get-HawkTenantDomainActivity.ps1
@@ -27,6 +27,13 @@ Function Get-HawkTenantDomainActivity {
 	Searches for all Domain configuration actions
 #>
 	BEGIN{
+		# Check if Hawk object exists and is fully initialized
+		if (Test-HawkGlobalObject) {
+			Initialize-HawkGlobalObject
+		}
+
+
+
 		Test-EXOConnection
 		Send-AIEvent -Event "CmdRun"
 		Out-LogFile "Gathering any changes to Domain configuration settings" -action

diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryConfiguration.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryConfiguration.ps1
@@ -59,10 +59,12 @@
     #TO DO: UPDATE THIS FUNCTION TO FIND E-Discovery roles created via the graph API
 
     BEGIN {
-        if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+        # Check if Hawk object exists and is fully initialized
+        if (Test-HawkGlobalObject) {
             Initialize-HawkGlobalObject
         }
 
+
         Test-EXOConnection
         Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEDiscoveryLog.ps1
@@ -41,6 +41,13 @@
         - Cmdlet: Command that was executed (if applicable)
     #>
     # Search UAL audit logs for any Domain configuration changes
+
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Get-HawkTenantEXOAdmin.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEXOAdmin.ps1
@@ -14,6 +14,11 @@
 .NOTES
 #>
 BEGIN{
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Out-LogFile "Gathering Exchange Online Administrators" -Action
 
     Test-EXOConnection

diff --git a/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEntraIDAdmin.ps1
@@ -20,10 +20,11 @@
         param()
 
         BEGIN {
-            # Initializing Hawk Object if not present
-            if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+            # Check if Hawk object exists and is fully initialized
+            if (Test-HawkGlobalObject) {
                 Initialize-HawkGlobalObject
             }
+
             Out-LogFile "Gathering Microsoft Entra ID Administrators" -Action
 
             # Verify Graph API connection

diff --git a/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1 b/Hawk/functions/Tenant/Get-HawkTenantEntraIDUser.ps1
@@ -20,10 +20,11 @@
         Properties selected for DFIR relevance.
     #>
     BEGIN {
-        # Initialize the Hawk environment if not already done
-        if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
+        # Check if Hawk object exists and is fully initialized
+        if (Test-HawkGlobalObject) {
             Initialize-HawkGlobalObject
         }
+
         Out-LogFile "Gathering Entra ID Users" -Action
 
         # Ensure we have a valid Graph connection

diff --git a/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1 b/Hawk/functions/Tenant/Get-HawkTenantInboxRule.ps1
@@ -55,6 +55,11 @@
         [Parameter(Mandatory = $true)]
         [string]$UserPrincipalName
     )
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
 
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"

diff --git a/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1 b/Hawk/functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1
@@ -33,6 +33,11 @@
 
     )
 BEGIN {
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'" -Action
 
 }#End Begin

diff --git a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1
@@ -37,6 +37,11 @@
     #>
     [CmdletBinding()]
     param()
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
 
     # Verify EXO connection and send telemetry
     Test-EXOConnection

diff --git a/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1 b/Hawk/functions/Tenant/Search-HawkTenantActivityByIP.ps1
@@ -44,6 +44,12 @@
         [string]$IpAddress
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1 b/Hawk/functions/Tenant/Start-HawkTenantInvestigation.ps1
@@ -33,9 +33,10 @@
 	[CmdletBinding(SupportsShouldProcess)]
 	param()
 
-	if ([string]::IsNullOrEmpty($Hawk.FilePath)) {
-		Initialize-HawkGlobalObject
-	}
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
 
 	Out-LogFile "Starting Tenant Sweep" -action
 	Send-AIEvent -Event "CmdRun"

diff --git a/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 b/Hawk/functions/User/Get-HawkUserAdminAudit.ps1
@@ -35,6 +35,11 @@
         [Parameter(Mandatory = $true)]
         [array]$UserPrincipalName
     )
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
 
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"

diff --git a/Hawk/functions/User/Get-HawkUserAuthHistory.ps1 b/Hawk/functions/User/Get-HawkUserAuthHistory.ps1
@@ -38,6 +38,12 @@
         [switch]$ResolveIPLocations
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/User/Get-HawkUserAutoReply.ps1 b/Hawk/functions/User/Get-HawkUserAutoReply.ps1
@@ -30,6 +30,11 @@
 
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/User/Get-HawkUserConfiguration.ps1 b/Hawk/functions/User/Get-HawkUserConfiguration.ps1
@@ -43,6 +43,10 @@
 		[Parameter(Mandatory = $true)]
 		[array]$UserPrincipalName
 	)
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
 
 	Test-EXOConnection
 	Send-AIEvent -Event "CmdRun"

diff --git a/Hawk/functions/User/Get-HawkUserEmailForwarding.ps1 b/Hawk/functions/User/Get-HawkUserEmailForwarding.ps1
@@ -38,6 +38,12 @@
         [array]$UserPrincipalName
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/User/Get-HawkUserHiddenRule.ps1 b/Hawk/functions/User/Get-HawkUserHiddenRule.ps1
@@ -46,6 +46,12 @@
         [System.Management.Automation.PSCredential]$EWSCredential
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/User/Get-HawkUserInboxRule.ps1 b/Hawk/functions/User/Get-HawkUserInboxRule.ps1
@@ -40,6 +40,12 @@ Function Get-HawkUserInboxRule {
 
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"
 

diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
@@ -77,6 +77,11 @@
         [array]$UserPrincipalName
     )
 
+    # Check if Hawk object exists and is fully initialized
+    if (Test-HawkGlobalObject) {
+        Initialize-HawkGlobalObject
+    }
+
     Test-EXOConnection
     Send-AIEvent -Event "CmdRun"