T0pCyber · T0pCyber · Jan 8, 2025 · Jan 8, 2025
diff --git a/Hawk/changelog.md b/Hawk/changelog.md
@@ -86,4 +86,5 @@
 - Updated all post Global Hawk Variable Initialized code to use prompt tagging.
 - Modified Out-MultipleFileType to not output "appending to file" to STDOUT repetitively.
 - Updated Get-HawkTenantEDiscoveryConfiguration to use non-deprecated means of collecting / analyzing eDiscovery role assignments.
-- Updated Change Log URI.
+- Updated Change Log URI.
+- Removed improperly formatted JSON from Get-HawkTenantAdminInboxRuleHistory, Get-HawkTenantAdminInboxRuleRemoval, Get-HawkTenantRBACChange, Get-HawkUserAdminAudit, Search-HawkTenantEXOAuditLog
diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminEmailForwardingChange.ps1
@@ -100,10 +100,6 @@ Search-UnifiedAuditLog -RecordType ExchangeAdmin -Operations @(
             # Log the number of forwarding configuration changes found.
             Out-LogFile ("Found " + $ForwardingChanges.Count + " change(s) to user email forwarding") -Information
 
-            # Write raw JSON data for detailed reference and potential troubleshooting.
-            $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Forwarding_Changes_Raw.json"
-            $ForwardingChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
             # Parse the audit data into a simpler format for further processing and output.
             $ParsedChanges = $ForwardingChanges | Get-SimpleUnifiedAuditLog
             if ($ParsedChanges) {

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleCreation.ps1
@@ -30,9 +30,6 @@ Function Get-HawkTenantAdminInboxRuleCreation {
         Path: \Tenant  
         Description: A subset of historically created rules flagged as suspicious.
 
-        File: Investigate_Admin_Inbox_Rules_Creation_Raw.json  
-        Path: \Tenant  
-        Description: Raw audit data for suspicious created rules.
     .EXAMPLE
         Get-HawkTenantAdminInboxRuleCreation
 
@@ -65,11 +62,6 @@ Function Get-HawkTenantAdminInboxRuleCreation {
         if ($NewInboxRules.Count -gt 0) {
             Out-LogFile ("Found " + $NewInboxRules.Count + " admin inbox rule changes in audit logs") -Information
 
-            # Write raw audit data with action flag
-            $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Creation_Raw.json"
-            Out-LogFile "Writing raw audit data to: $RawJsonPath" -Action
-            $NewInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
             # Process and output the results
             $ParsedRules = $NewInboxRules | Get-SimpleUnifiedAuditLog
             if ($ParsedRules) {
@@ -89,11 +81,6 @@ Function Get-HawkTenantAdminInboxRuleCreation {
                     Out-LogFile "Writing suspicious rule creation data" -Action
                     $SuspiciousRules | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Creation" -csv -json -Notice
 
-                    # Write raw data for suspicious rules with action flag
-                    $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Creation_Raw.json"
-                    Out-LogFile "Writing raw suspicious rule data to: $RawSuspiciousPath" -Action
-                    $SuspiciousRules | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath
-
                     # Log details about why each rule was flagged
                     foreach ($rule in $SuspiciousRules) {
                         $reasons = @()

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleModification.ps1
@@ -32,9 +32,6 @@ Function Get-HawkTenantAdminInboxRuleModification {
         Path: \Tenant  
         Description: A subset of historically modified rules flagged as suspicious.
 
-        File: Investigate_Admin_Inbox_Rules_Modification_Raw.json  
-        Path: \Tenant  
-        Description: Raw audit data for suspicious rule modifications.
     .EXAMPLE
         Get-HawkTenantAdminInboxRuleModification
 
@@ -68,11 +65,6 @@ Function Get-HawkTenantAdminInboxRuleModification {
         if ($ModifiedInboxRules.Count -gt 0) {
             Out-LogFile ("Found " + $ModifiedInboxRules.Count + " admin inbox rule modifications in audit logs") -Information
 
-            # Write raw audit data with action flag
-            $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Modification_Raw.json"
-            Out-LogFile "Writing raw audit data to: $RawJsonPath" -Action
-            $ModifiedInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
             # Process and output the results
             $ParsedRules = $ModifiedInboxRules | Get-SimpleUnifiedAuditLog
             if ($ParsedRules) {
@@ -92,11 +84,6 @@ Function Get-HawkTenantAdminInboxRuleModification {
                     Out-LogFile "Writing suspicious rule modification data" -Action
                     $SuspiciousModifications | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Modification" -csv -json -Notice
 
-                    # Write raw data for suspicious modifications with action flag
-                    $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Modification_Raw.json"
-                    Out-LogFile "Writing raw suspicious modification data to: $RawSuspiciousPath" -Action
-                    $SuspiciousModifications | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath
-
                     # Log details about why each modification was flagged
                     foreach ($rule in $SuspiciousModifications) {
                         $reasons = @()

diff --git a/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1 b/Hawk/functions/Tenant/Get-HawkTenantAdminInboxRuleRemoval.ps1
@@ -29,10 +29,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval {
         Path: \Tenant  
         Description: A subset of historically removed rules flagged as suspicious.
 
-        File: Investigate_Admin_Inbox_Rules_Removal_Raw.json  
-        Path: \Tenant  
-        Description: Raw audit data for suspicious removed rules.
-
     .EXAMPLE
         Get-HawkTenantAdminInboxRuleRemoval
 
@@ -62,10 +58,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval {
         if ($RemovedInboxRules.Count -gt 0) {
             Out-LogFile ("Found " + $RemovedInboxRules.Count + " admin inbox rule removals in audit logs") -Information
 
-            # Write raw audit data for reference
-            $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "Admin_Inbox_Rules_Removal_Raw.json"
-            $RemovedInboxRules | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
             # Process and output the results
             $ParsedRules = $RemovedInboxRules | Get-SimpleUnifiedAuditLog
             if ($ParsedRules) {
@@ -92,10 +84,6 @@ Function Get-HawkTenantAdminInboxRuleRemoval {
 
                     $SuspiciousRemovals | Out-MultipleFileType -FilePrefix "_Investigate_Admin_Inbox_Rules_Removal" -csv -json -Notice
 
-                    # Write raw data for suspicious rules
-                    $RawSuspiciousPath = Join-Path -Path $TenantPath -ChildPath "Investigate_Admin_Inbox_Rules_Removal_Raw.json"
-                    $SuspiciousRemovals | ConvertTo-Json -Depth 10 | Out-File -FilePath $RawSuspiciousPath
-
                     # Log details about why each removal was flagged
                     foreach ($rule in $SuspiciousRemovals) {
                         $reasons = @()

diff --git a/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1 b/Hawk/functions/Tenant/Get-HawkTenantRbacChange.ps1
@@ -30,10 +30,6 @@
         Path: \Tenant
         Description: Raw audit data in JSON format for detailed analysis
 
-        File: RBAC_Changes_Raw.json
-        Path: \Tenant
-        Description: Complete raw audit logs in JSON format
-
     .EXAMPLE
         Get-HawkTenantRBACChange
 
@@ -88,10 +84,6 @@
         if ($RBACChanges.Count -gt 0) {
             Out-LogFile ("Found " + $RBACChanges.Count + " changes made to Roles-Based Access Control") -Information
 
-            # Write raw audit data JSON for reference
-            $RawJsonPath = Join-Path -Path $TenantPath -ChildPath "RBAC_Changes_Raw.json"
-            $RBACChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
             # Parse changes using Get-SimpleUnifiedAuditLog
             $ParsedChanges = $RBACChanges | Get-SimpleUnifiedAuditLog
 

diff --git a/Hawk/functions/User/Get-HawkUserAdminAudit.ps1 b/Hawk/functions/User/Get-HawkUserAdminAudit.ps1
@@ -20,14 +20,6 @@
         Path: \<user>
         Description: Raw data of all changes made to the user.
 
-        File: User_Changes_Raw.json
-        Path: \<user>
-        Description: Raw JSON data from audit logs.
-
-        File: User_Changes_Raw.txt
-        Path: \<user>
-        Description: Human readable format of raw audit data.
-
     .EXAMPLE
         Get-HawkUserAdminAudit -UserPrincipalName [email protected]
 
@@ -77,10 +69,6 @@
                     New-Item -Path $UserFolder -ItemType Directory -Force | Out-Null
                 }
 
-                # Write raw AuditData to files for verification/debugging
-                $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "User_Changes_Raw.json"
-                $UserChanges | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
                 # Parse and format the changes using Get-SimpleUnifiedAuditLog
                 $ParsedChanges = $UserChanges | Get-SimpleUnifiedAuditLog
 

diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
@@ -37,10 +37,6 @@
         Path: \<User>
         Description: Raw item-level operations data in CSV and JSON formats
 
-        File: ExchangeItem_Raw.json
-        Path: \<User>
-        Description: Raw JSON dump of item operations audit data
-
         ExchangeItemGroup Records:
         File: ExchangeItemGroup_Simple_{User}.csv/.json
         Path: \<User>
@@ -50,10 +46,6 @@
         Path: \<User>
         Description: Raw access pattern data in CSV and JSON formats
 
-        File: ExchangeItemGroup_Raw.json
-        Path: \<User>
-        Description: Raw JSON dump of access pattern audit data
-
     .EXAMPLE
         Get-HawkUserMailboxAuditing -UserPrincipalName [email protected]
 
@@ -116,10 +108,6 @@
                 if ($itemLogs.Count -gt 0) {
                     Out-LogFile ("Found " + $itemLogs.Count + " ExchangeItem events.") -Information
 
-                    # Write raw JSON dump
-                    $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "ExchangeItem_Raw.json"
-                    $itemLogs | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
                     # Process and output flattened data
                     $ParsedItemLogs = $itemLogs | Get-SimpleUnifiedAuditLog
                     if ($ParsedItemLogs) {
@@ -141,10 +129,6 @@
                 if ($groupLogs.Count -gt 0) {
                     Out-LogFile ("Found " + $groupLogs.Count + " ExchangeItemGroup events.") -Information
 
-                    # Write raw JSON dump
-                    $RawJsonPath = Join-Path -Path $UserFolder -ChildPath "ExchangeItemGroup_Raw.json"
-                    $groupLogs | Select-Object -ExpandProperty AuditData | Out-File -FilePath $RawJsonPath
-
                     # Process and output flattened data
                     $ParsedGroupLogs = $groupLogs | Get-SimpleUnifiedAuditLog
                     if ($ParsedGroupLogs) {

diff --git a/Hawk/internal/functions/Test-GraphConnection.ps1 b/Hawk/internal/functions/Test-GraphConnection.ps1
@@ -21,16 +21,7 @@ Function Test-GraphConnection {
     catch {
         # Fallback if $Hawk is not initialized
         if ($null -eq $Hawk) {
-            # If $Hawk is null, calling Out-LogFile would cause a circular dependency:
-            #   - Out-LogFile tries to init $Hawk
-            #   - init function calls Test-GraphConnection
-            #   - ... infinite loop
-            #
-            # Therefore, we replicate Out-LogFile’s date/time format and the [ACTION] tag
-            # here in a simple Write-Output statement. This ensures consistent-looking 
-            # log output without triggering the circular dependency when $Hawk is not yet initialized.
-            $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
-            Write-Output "[$timestamp] - [ACTION] - Connecting to MGGraph using MGGraph Module"
+            Write-Output "Connecting to MGGraph using MGGraph Module"
         }
         else {
             # $Hawk exists, so we can safely use Out-LogFile