From 4d8e5e790898ef6ca76bb6922e45ec04f3eb64fb Mon Sep 17 00:00:00 2001 From: Jonathan Butler Date: Wed, 8 Jan 2025 18:44:02 -0500 Subject: [PATCH] Remove improperly formatted JSON from Get-HawkTenantAdminInboxRuleHistory, Get-HawkTenantAdminInboxRuleRemoval, Get-HawkTenantRBACChange, Get-HawkUserAdminAudit, Search-HawkTenantEXOAuditLog --- Hawk/changelog.md | 3 ++- .../Get-HawkTenantAdminEmailForwardingChange.ps1 | 4 ---- .../Get-HawkTenantAdminInboxRuleCreation.ps1 | 13 ------------- .../Get-HawkTenantAdminInboxRuleModification.ps1 | 13 ------------- .../Get-HawkTenantAdminInboxRuleRemoval.ps1 | 12 ------------ .../Tenant/Get-HawkTenantRbacChange.ps1 | 8 -------- Hawk/functions/User/Get-HawkUserAdminAudit.ps1 | 12 ------------ .../User/Get-HawkUserMailboxAuditing.ps1 | 16 ---------------- Hawk/internal/functions/Test-GraphConnection.ps1 | 11 +---------- 9 files changed, 3 insertions(+), 89 deletions(-) diff --git a/Hawk/changelog.md b/Hawk/changelog.md index 7f1251b..223a63c 100644 --- a/Hawk/changelog.md +++ b/Hawk/changelog.md @@ -86,4 +86,5 @@ - Updated all post Global Hawk Variable Initialized code to use prompt tagging. - Modified Out-MultipleFileType to not output "appending to file" to STDOUT repetitively. - Updated Get-HawkTenantEDiscoveryConfiguration to use non-deprecated means of collecting / analyzing eDiscovery role assignments. -- Updated Change Log URI. \ No newline at end of file +- Updated Change Log URI. +- Removed improperly formatted JSON from Get-HawkTenantAdminInboxRuleHistory, Get-HawkTenantAdminInboxRuleRemoval, Get-HawkTenantRBACChange, Get-HawkUserAdminAudit, Search-HawkTenantEXOAuditLog diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 index 8e204d9..097a8c1 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 @@ -100,10 +100,6 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @( # Log the number of forwarding configuration changes found. Out-LogFile ("Found " + $ForwardingChanges.Count + " change(s) to user email forwarding") -Information - # Write raw JSON data for detailed reference and potential troubleshooting. - $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Forwarding_Changes_Raw.json" - $ForwardingChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Parse the audit data into a simpler format for further processing and output. $ParsedChanges = $ForwardingChanges | Get-SimpleUnifiedAuditLog if ($ParsedChanges) { diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 index 1173af1..8824351 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 @@ -30,9 +30,6 @@ Function Get-HawkTenantAdminInboxRuleCreation { Path: \Tenant Description: A subset of historically created rules flagged as suspicious. - File: Investigate_Admin_Inbox_Rules_Creation_Raw.json - Path: \Tenant - Description: Raw audit data for suspicious created rules. .EXAMPLE Get-HawkTenantAdminInboxRuleCreation @@ -65,11 +62,6 @@ Function Get-HawkTenantAdminInboxRuleCreation { if ($NewInboxRules.Count -gt 0) { Out-LogFile ("Found " + $NewInboxRules.Count + " admin inbox rule changes in audit logs") -Information - # Write raw audit data with action flag - $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Creation_Raw.json" - Out-LogFile "Writing raw audit data to: $RawJsonPath" -Action - $NewInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Process and output the results $ParsedRules = $NewInboxRules | Get-SimpleUnifiedAuditLog if ($ParsedRules) { @@ -89,11 +81,6 @@ Function Get-HawkTenantAdminInboxRuleCreation { Out-LogFile "Writing suspicious rule creation data" -Action $SuspiciousRules | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Creation" -csv -json -Notice - # Write raw data for suspicious rules with action flag - $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Creation_Raw.json" - Out-LogFile "Writing raw suspicious rule data to: $RawSuspiciousPath" -Action - $SuspiciousRules | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath - # Log details about why each rule was flagged foreach ($rule in $SuspiciousRules) { $reasons = @() diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 index 7e32d0a..ccb1829 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 @@ -32,9 +32,6 @@ Function Get-HawkTenantAdminInboxRuleModification { Path: \Tenant Description: A subset of historically modified rules flagged as suspicious. - File: Investigate_Admin_Inbox_Rules_Modification_Raw.json - Path: \Tenant - Description: Raw audit data for suspicious rule modifications. .EXAMPLE Get-HawkTenantAdminInboxRuleModification @@ -68,11 +65,6 @@ Function Get-HawkTenantAdminInboxRuleModification { if ($ModifiedInboxRules.Count -gt 0) { Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Information - # Write raw audit data with action flag - $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Modification_Raw.json" - Out-LogFile "Writing raw audit data to: $RawJsonPath" -Action - $ModifiedInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Process and output the results $ParsedRules = $ModifiedInboxRules | Get-SimpleUnifiedAuditLog if ($ParsedRules) { @@ -92,11 +84,6 @@ Function Get-HawkTenantAdminInboxRuleModification { Out-LogFile "Writing suspicious rule modification data" -Action $SuspiciousModifications | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Modification" -csv -json -Notice - # Write raw data for suspicious modifications with action flag - $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Modification_Raw.json" - Out-LogFile "Writing raw suspicious modification data to: $RawSuspiciousPath" -Action - $SuspiciousModifications | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath - # Log details about why each modification was flagged foreach ($rule in $SuspiciousModifications) { $reasons = @() diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 index 1ed24b7..2bfbc4d 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 @@ -29,10 +29,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval { Path: \Tenant Description: A subset of historically removed rules flagged as suspicious. - File: Investigate_Admin_Inbox_Rules_Removal_Raw.json - Path: \Tenant - Description: Raw audit data for suspicious removed rules. - .EXAMPLE Get-HawkTenantAdminInboxRuleRemoval @@ -62,10 +58,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval { if ($RemovedInboxRules.Count -gt 0) { Out-LogFile ("Found " + $RemovedInboxRules.Count + " admin inbox rule removals in audit logs") -Information - # Write raw audit data for reference - $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Removal_Raw.json" - $RemovedInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Process and output the results $ParsedRules = $RemovedInboxRules | Get-SimpleUnifiedAuditLog if ($ParsedRules) { @@ -92,10 +84,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval { $SuspiciousRemovals | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Removal" -csv -json -Notice - # Write raw data for suspicious rules - $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Removal_Raw.json" - $SuspiciousRemovals | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath - # Log details about why each removal was flagged foreach ($rule in $SuspiciousRemovals) { $reasons = @() diff --git a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 index cfbb336..5402280 100644 --- a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 +++ b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 @@ -30,10 +30,6 @@ Path: \Tenant Description: Raw audit data in JSON format for detailed analysis - File: RBAC_Changes_Raw.json - Path: \Tenant - Description: Complete raw audit logs in JSON format - .EXAMPLE Get-HawkTenantRBACChange @@ -88,10 +84,6 @@ if ($RBACChanges.Count -gt 0) { Out-LogFile ("Found " + $RBACChanges.Count + " changes made to Roles-Based Access Control") -Information - # Write raw audit data JSON for reference - $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "RBAC_Changes_Raw.json" - $RBACChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Parse changes using Get-SimpleUnifiedAuditLog $ParsedChanges = $RBACChanges | Get-SimpleUnifiedAuditLog diff --git a/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 b/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 index e4a48d9..401f595 100644 --- a/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 +++ b/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 @@ -20,14 +20,6 @@ Path: \ Description: Raw data of all changes made to the user. - File: User_Changes_Raw.json - Path: \ - Description: Raw JSON data from audit logs. - - File: User_Changes_Raw.txt - Path: \ - Description: Human readable format of raw audit data. - .EXAMPLE Get-HawkUserAdminAudit -UserPrincipalName user@company.com @@ -77,10 +69,6 @@ New-Item -Path $UserFolder -ItemType Directory -Force | Out-Null } - # Write raw AuditData to files for verification/debugging - $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "User_Changes_Raw.json" - $UserChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Parse and format the changes using Get-SimpleUnifiedAuditLog $ParsedChanges = $UserChanges | Get-SimpleUnifiedAuditLog diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 index e604259..e56d7f9 100644 --- a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 +++ b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 @@ -37,10 +37,6 @@ Path: \ Description: Raw item-level operations data in CSV and JSON formats - File: ExchangeItem_Raw.json - Path: \ - Description: Raw JSON dump of item operations audit data - ExchangeItemGroup Records: File: ExchangeItemGroup_Simple_{User}.csv/.json Path: \ @@ -50,10 +46,6 @@ Path: \ Description: Raw access pattern data in CSV and JSON formats - File: ExchangeItemGroup_Raw.json - Path: \ - Description: Raw JSON dump of access pattern audit data - .EXAMPLE Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com @@ -116,10 +108,6 @@ if ($itemLogs.Count -gt 0) { Out-LogFile ("Found " + $itemLogs.Count + " ExchangeItem events.") -Information - # Write raw JSON dump - $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "ExchangeItem_Raw.json" - $itemLogs | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Process and output flattened data $ParsedItemLogs = $itemLogs | Get-SimpleUnifiedAuditLog if ($ParsedItemLogs) { @@ -141,10 +129,6 @@ if ($groupLogs.Count -gt 0) { Out-LogFile ("Found " + $groupLogs.Count + " ExchangeItemGroup events.") -Information - # Write raw JSON dump - $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "ExchangeItemGroup_Raw.json" - $groupLogs | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath - # Process and output flattened data $ParsedGroupLogs = $groupLogs | Get-SimpleUnifiedAuditLog if ($ParsedGroupLogs) { diff --git a/Hawk/internal/functions/Test-GraphConnection.ps1 b/Hawk/internal/functions/Test-GraphConnection.ps1 index 9a137e8..2b377b3 100644 --- a/Hawk/internal/functions/Test-GraphConnection.ps1 +++ b/Hawk/internal/functions/Test-GraphConnection.ps1 @@ -21,16 +21,7 @@ Function Test-GraphConnection { catch { # Fallback if $Hawk is not initialized if ($null -eq $Hawk) { - # If $Hawk is null, calling Out-LogFile would cause a circular dependency: - # - Out-LogFile tries to init $Hawk - # - init function calls Test-GraphConnection - # - ... infinite loop - # - # Therefore, we replicate Out-LogFile’s date/time format and the [ACTION] tag - # here in a simple Write-Output statement. This ensures consistent-looking - # log output without triggering the circular dependency when $Hawk is not yet initialized. - $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - Write-Output "[$timestamp] - [ACTION] - Connecting to MGGraph using MGGraph Module" + Write-Output "Connecting to MGGraph using MGGraph Module" } else { # $Hawk exists, so we can safely use Out-LogFile