May 18 2020

How to Investigate Office 365 Audit Logs for Suspicious Activity

The Hawk module is useful for gathering and review and logs from multiple locations.

Is there some potentially nefarious activity going on in your Office 365 tenant? A free module called Hawk can help system administrators find out. Hawk gathers logs from multiple locations on a business’s Office 365 tenant and puts them in a single location for easy sleuthing. Here are some tips for success with the module.

Know What the Hawk Module Commands Are

The Hawk module cmdlets are split into two main categories: tenant-based cmdlets and user-based cmdlets. The former gather auditing data, such as user forwarding rules and mailbox permissions for all users in an Office 365 tenant. The latter focuses on individual user account data. Both commands will call the appropriate cmdlets and begin to gather the data.

How to Install the Hawk Module

To download and install Hawk, run the command Install-Module-Name Hawk from a Windows PowerShell session. The installation will take a few minutes as Hawk has several dependencies that are installed automatically. Be sure you’re running Windows PowerShell v5.1 and also have access to a Global Tenant Administrator account for Exchange Online and MSOnline tenant.

How to Audit the Tenant

Auditing the business’s Office 365 tenant begins with running the Hawk tenant investigation command, Start-HawkTenantInvestigation. This command scans the tenant and downloads the results to the local drive. When complete, it creates two files: investigate.txt and hawk.log. These files document email-forwarding rules, inbox rule changes and user role changes. Be sure to review these logs first to narrow your audit scope before auditing users.

How to Audit Individual Users

After reviewing tenant scans, admins can also scan for activities via a single user by running Start-HawkUserInvestigation -UserPrincipleName username@domain_name.com. This scan will look at user configurations, mailbox rules, forwarding rules, and folder and mailbox statistics. To make reviewing easier, the log and data are stored under the folder named with the current user being scanned.

alengo/Getty Images