Development

.github/workflows/build.yml

@@ -1,8 +1,7 @@
 on:
-  push:
+  pull_request:
     branches:
       - master
-
 jobs:
   build:
     runs-on: windows-2019

.github/workflows/psscriptanalyzer.yml

@@ -0,0 +1,96 @@
+name: PSScriptAnalyzer
+on:
+  pull_request:
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+      - "**.psd1"
+  push:
+    paths:
+      - "**.ps1"
+      - "**.psm1"
+      - "**.psd1"
+
+jobs:
+  analyze:
+    name: PSScriptAnalyzer
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for getting changed files
+
+      - name: Get changed files
+        shell: pwsh
+        run: |
+          if ($env:GITHUB_EVENT_NAME -eq 'pull_request') {
+              $baseCommit = git rev-parse $env:GITHUB_EVENT.pull_request.base.sha
+              $headCommit = git rev-parse HEAD
+              $changedFiles = git diff --name-only $baseCommit..$headCommit
+          } else {
+              $changedFiles = git diff --name-only HEAD^1 HEAD
+          }
+
+          $powershellFiles = $changedFiles | Where-Object { 
+              $_ -match '\.(ps1|psm1|psd1)$' 
+          }
+
+          $powershellFiles | Out-File -FilePath $env:GITHUB_WORKSPACE/changed_files.txt
+          Write-Host "Changed PowerShell files:"
+          $powershellFiles | ForEach-Object { Write-Host "  $_" }
+
+      - name: Install PSScriptAnalyzer
+        shell: pwsh
+        run: |
+          Set-PSRepository PSGallery -InstallationPolicy Trusted
+          Install-Module PSScriptAnalyzer -Force
+
+      - name: Run PSScriptAnalyzer
+        shell: pwsh
+        run: |
+          $settingsPath = Join-Path $env:GITHUB_WORKSPACE 'Hawk' 'internal' 'configurations' 'PSScriptAnalyzerSettings.psd1'
+
+          Write-Output "Using settings file: $settingsPath"
+          if (-not (Test-Path $settingsPath)) {
+              Write-Error "PSScriptAnalyzer settings file not found at: $settingsPath"
+              exit 1
+          }
+
+          $changedFiles = Get-Content -Path "$env:GITHUB_WORKSPACE/changed_files.txt"
+          if (-not $changedFiles) {
+              Write-Output "No PowerShell files were changed"
+              $null > (Join-Path $env:GITHUB_WORKSPACE 'psscriptanalyzer-results.txt')
+              exit 0
+          }
+
+          $results = @()
+          foreach ($file in $changedFiles) {
+              $fullPath = Join-Path $env:GITHUB_WORKSPACE $file
+              if (Test-Path $fullPath) {
+                  Write-Output "Analyzing $fullPath"
+                  $fileResults = Invoke-ScriptAnalyzer -Path $fullPath -Settings $settingsPath
+                  if ($fileResults) {
+                      $results += $fileResults
+                  }
+              }
+          }
+
+          if ($results) {
+              Write-Output "Found $($results.Count) issues in changed files:"
+              $results | Format-Table -AutoSize | Out-String | Write-Output
+              $results | Format-Table -AutoSize | Out-File (Join-Path $env:GITHUB_WORKSPACE 'psscriptanalyzer-results.txt')
+              exit 1
+          } else {
+              Write-Output "No PSScriptAnalyzer issues found in changed files"
+              $null > (Join-Path $env:GITHUB_WORKSPACE 'psscriptanalyzer-results.txt')
+              exit 0
+          }
+
+      - name: Upload Results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: psscriptanalyzer-results
+          path: psscriptanalyzer-results.txt
+          if-no-files-found: warn

.github/workflows/validate.yml

@@ -1,4 +1,13 @@
-on: [pull_request]
+on:
+  pull_request:
+    branches:
+      - master
+      - Development
+  push:
+    branches:
+      - master
+      - Development
+      - bugfix/162-modernize-authentication-to-replace-azuread-with-microsoft-graph
 
 jobs:
   validate:

.gitignore

@@ -1,5 +1,4 @@
-
-# ignore the settings folder and files for VSCode and PSS
+# ignore the settings folder and files for VSCode and PSS
 .vscode/*
 *.psproj
 *TempPoint*
@@ -19,4 +18,11 @@ Hawk/Hawk.psproj
 TestResults/*
 
 # ignore the publishing Directory
-publish/*
+publish/*
+
+# Ignore all .csv, .json, .docx, and .xlsx files
+*.csv
+*.json
+*.docx
+*.doc
+*.xlsx

.pre-commit-config.yaml

@@ -0,0 +1,14 @@
+repos:
+  - repo: local
+    hooks:
+      - id: powershell-script-analyzer
+        name: PowerShell Script Analyzer
+        entry: pwsh
+        args:
+          - -NoProfile
+          - -ExecutionPolicy
+          - Bypass
+          - -File
+          - Hawk/internal/scripts/pre_commit_hook_scripts/Invoke-PowerShellScriptAnalyzer.ps1
+        language: system
+        types: [powershell]

Hawk/Hawk.psd1

@@ -1,40 +1,42 @@
 @{
 	# Script module or binary module file associated with this manifest
-	RootModule = 'Hawk.psm1'
+	RootModule         = 'Hawk.psm1'
 
 	# Version number of this module.
-	ModuleVersion = '3.1.0'
+	ModuleVersion      = '3.2.4'
 
 	# ID used to uniquely identify this module
-	GUID = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
+	GUID               = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
 
 	# Author of this module
-	Author = 'Paul Navarro'
+	Author             = 'Paul Navarro, Jonathan Butler'
 
 	# Company or vendor of this module
-	CompanyName = 'Cloud Forensicator'
+	CompanyName        = 'Cloud Forensicator'
 
 	# Copyright statement for this module
-	Copyright = 'Copyright (c) 2023 Paul Navarro'
+	Copyright          = 'Copyright (c) 2025 Paul Navarro'
 
 	# Description of the functionality provided by this module
-	Description = 'Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
+	Description        = 'Microsoft 365 Incident Response and Threat Hunting PowerShell tool.
 	The Hawk is designed to ease the burden on M365 administrators who are performing Cloud forensic tasks for their organization.
 	It accelerates the gathering of data from multiple sources in the service that be used to quickly identify malicious presence and activity.'
 
 	# Minimum version of the Windows PowerShell engine required by this module
-	PowerShellVersion = '5.0'
+	PowerShellVersion  = '5.0'
 
 	# Modules that must be imported into the global environment prior to importing
 	# this module
-	RequiredModules = @(
-		@{ModuleName = 'PSFramework'; ModuleVersion = '1.4.150'},
-		@{ModuleName = 'PSAppInsights'; ModuleVersion = '0.9.6'},
-		@{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.0.0'},
-		@{ModuleName = 'RobustCloudCommand'; ModuleVersion = '2.0.1'},
-		@{ModuleName = 'AzureAD'; ModuleVersion = '2.0.2.140'},
-		@{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '1.23.0'},
-		@{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '1.23.0'}
+	RequiredModules    = @(
+		@{ModuleName = 'PSFramework'; ModuleVersion = '1.12.346' },
+		@{ModuleName = 'PSAppInsights'; ModuleVersion = '0.9.6' },
+		@{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.0.0' },
+		@{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '2.25.0' },
+		@{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '2.25.0' },
+		@{ModuleName = 'Microsoft.Graph.Users'; ModuleVersion = '2.25.0' },
+		@{ModuleName = 'Microsoft.Graph.Applications'; ModuleVersion = '2.25.0' },
+		@{ModuleName = 'Microsoft.Graph.Identity.Signins'; ModuleVersion = '2.25.0' },
+		@{ModuleName = 'Microsoft.Graph.Reports'; ModuleVersion = '2.25.0' }
 	)
 
 	# Assemblies that must be loaded prior to importing this module
@@ -47,40 +49,44 @@
 	# FormatsToProcess = @('xml\Hawk.Format.ps1xml')
 
 	# Functions to export from this module
-	FunctionsToExport =
-		'Get-HawkTenantConfiguration',
-		'Get-HawkTenantEDiscoveryConfiguration',
-		'Get-HawkTenantInboxRules',
-		'Get-HawkTenantConsentGrants',
-		'Get-HawkTenantRBACChanges',
-		'Get-HawkTenantAzureAuditLog',
-		'Get-HawkUserAuthHistory',
-		'Get-HawkUserConfiguration',
-		'Get-HawkUserEmailForwarding',
-		'Get-HawkUserInboxRule',
-		'Get-HawkUserMailboxAuditing',
-		'Initialize-HawkGlobalObject',
-		'Search-HawkTenantActivityByIP',
-		'Search-HawkTenantEXOAuditLog',
-		'Show-HawkHelp',
-		'Start-HawkTenantInvestigation',
-		'Start-HawkUserInvestigation',
-		'Update-HawkModule',
-		'Get-HawkUserAdminAudit',
-		'Get-HawkTenantAuthHistory',
-		'Get-HawkUserHiddenRule',
-		'Get-HawkMessageHeader',
-		'Get-HawkUserPWNCheck',
-		'Get-HawkUserAutoReply',
-		'Get-HawkUserMessageTrace',
-		'Get-HawkUserMobileDevice',
-		'Get-HawkTenantAZAdmins',
-		'Get-HawkTenantEXOAdmins',
-		'Get-HawkTenantMailItemsAccessed',
-		'Get-HawkTenantAppAndSPNCredentialDetails',
-		'Get-HawkTenantAzureADUsers',
-		'Get-HawkTenantDomainActivity',
-		'Get-HawkTenantEDiscoveryLogs'
+	FunctionsToExport  =
+	'Get-HawkTenantConfiguration',
+	'Get-HawkTenantEDiscoveryConfiguration',
+	'Get-HawkTenantInboxRule',
+	'Get-HawkTenantConsentGrant',
+	'Get-HawkTenantRBACChange',
+	'Get-HawkTenantAzureAppAuditLog',
+	'Get-HawkUserAuthHistory',
+	'Get-HawkUserConfiguration',
+	'Get-HawkUserEmailForwarding',
+	'Get-HawkUserInboxRule',
+	'Get-HawkUserMailboxAuditing',
+	'Search-HawkTenantActivityByIP',
+	'Get-HawkTenantAdminInboxRuleCreation',
+	'Get-HawkTenantAdminInboxRuleModification',
+	'Get-HawkTenantAdminInboxRuleRemoval',
+	'Get-HawkTenantAdminMailboxPermissionChange',
+	'Get-HawkTenantAdminEmailForwardingChange',
+	'Show-HawkHelp',
+	'Start-HawkTenantInvestigation',
+	'Start-HawkUserInvestigation',
+	'Update-HawkModule',
+	'Get-HawkUserAdminAudit',
+	'Get-HawkTenantAuditLog',
+	'Get-HawkTenantAuthHistory',
+	'Get-HawkUserHiddenRule',
+	'Get-HawkMessageHeader',
+	'Get-HawkUserPWNCheck',
+	'Get-HawkUserAutoReply',
+	'Get-HawkUserMessageTrace',
+	'Get-HawkUserMobileDevice',
+	'Get-HawkTenantEntraIDAdmin',
+	'Get-HawkTenantEXOAdmin',
+	'Get-HawkTenantMailItemsAccessed',
+	'Get-HawkTenantAppAndSPNCredentialDetail',
+	'Get-HawkTenantEntraIDUser',
+	'Get-HawkTenantDomainActivity',
+	'Get-HawkTenantEDiscoveryLog'
 
 	# Cmdlets to export from this module
 	# CmdletsToExport = ''
@@ -92,31 +98,31 @@
 	# AliasesToExport = ''
 
 	# List of all modules packaged with this module
-	ModuleList = @()
+	ModuleList         = @()
 
 	# List of all files packaged with this module
-	FileList = @()
+	FileList           = @()
 
 	# Private data to pass to the module specified in ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-	PrivateData = @{
+	PrivateData        = @{
 
 		#Support for PowerShellGet galleries.
 		PSData = @{
 
 			# Tags applied to this module. These help with module discovery in online galleries.
-			Tags = @("O365","Security","Audit","Breach","Investigation","Exchange","EXO","Compliance","Logon","M365","Incident-Response","Solarigate")
+			Tags         = @("O365", "Security", "Audit", "Breach", "Investigation", "Exchange", "EXO", "Compliance", "Logon", "M365", "Incident-Response", "Solarigate")
 
 			# A URL to the license for this module.
-			LicenseUri = 'https://github.com/T0pCyber/Hawk/LICENSE'
+			LicenseUri   = 'https://github.com/T0pCyber/hawk/blob/master/LICENSE'
 
 			# A URL to the main website for this project.
-			ProjectUri = 'https://github.com/T0pCyber/Hawk'
+			ProjectUri   = 'https://github.com/T0pCyber/Hawk'
 
 			# A URL to an icon representing this module.
-			 IconUri = 'https://i.ibb.co/XXH4500/Hawk.png'
+			IconUri      = 'https://i.ibb.co/XXH4500/Hawk.png'
 
 			# ReleaseNotes of this module
-			ReleaseNotes = 'https://github.com/T0pCyber/Hawk/Hawk/changelog.md'
+			ReleaseNotes = 'https://github.com/T0pCyber/hawk/blob/master/Hawk/changelog.md'
 
 		} # End of PSData hashtable