Hawk is an open-source, PowerShell-driven, community-developed tool network defenders can use to quickly and easily gather data from O365 and Azure for security investigations. Incident responders and network defenders can investigate specific user principals or the entire tenant. Data it provides include IP addresses and sign-in data. Additionally, Hawk can track IP usage for concurrent login situations.
Hawk users can review login details for administrator accounts and take the following steps.
- Investigate high-value administrative accounts to detect anomalous.
- Enable PowerShell logging.
- Look for users with unusual sign-in locations, dates, and times.
- Check permissions of service principals and applications in M365/Azure AD.
- Detect the frequency of resource access from unusual places.
- Review mailbox rules and recent mailbox rule changes.
Links: