How to Install the Hawk Module
To download and install Hawk, run the command Install-Module-Name Hawk from a Windows PowerShell session. The installation will take a few minutes as Hawk has several dependencies that are installed automatically. Be sure you’re running Windows PowerShell v5.1 and also have access to a Global Tenant Administrator account for Exchange Online and MSOnline tenant.
How to Audit the Tenant
Auditing the business’s Office 365 tenant begins with running the Hawk tenant investigation command, Start-HawkTenantInvestigation. This command scans the tenant and downloads the results to the local drive. When complete, it creates two files: investigate.txt and hawk.log. These files document email-forwarding rules, inbox rule changes and user role changes. Be sure to review these logs first to narrow your audit scope before auditing users.
How to Audit Individual Users
After reviewing tenant scans, admins can also scan for activities via a single user by running Start-HawkUserInvestigation -UserPrincipleName username@domain_name.com. This scan will look at user configurations, mailbox rules, forwarding rules, and folder and mailbox statistics. To make reviewing easier, the log and data are stored under the folder named with the current user being scanned.