hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Feature: Update Get-HawkTenantUnifiedAuditLog

Open jonnybottles opened this issue 10 months ago • 1 comments

What Problem Would This Feature Solve?

Get-HawkTenantUnifiedAuditLog is currently non-functional and does not return results for the Unified Audit Log (UAL). This results in the following issues:

  • The function does not successfully retrieve UAL data, limiting its usefulness.
  • The output lacks the flattened/simplified data format that other Hawk functions provide.
  • Users cannot easily analyze the data in spreadsheet applications due to nested JSON structures.
  • The function isn't integrated into Start-HawkTenantInvestigation, meaning valuable authentication data is missing in standard tenant investigations.

Proposed Solution

  1. Fix Get-HawkTenantUnifiedAuditLog to successfully retrieve and process UAL data.
  2. Update Get-HawkTenantUnifiedAuditLog to use Get-SimpleUnifiedAuditLog for processing UAL data.
  3. Generate both simplified (flattened) and raw output files:
    • Simple_Audit_Log_Full_{date}.csv/.json
    • Audit_Log_Full_{date}.csv/.json
  4. Assess whether this function should be standalone or integrated into Start-HawkTenantInvestigation based on the timeline required to fix functionality.
  5. Maintain the existing 48-hour collection window with 15-minute intervals.

Technical Requirements

Modify Get-HawkTenantUnifiedAuditLog to:

  • Ensure the function properly retrieves UAL data.
  • Use Get-SimpleUnifiedAuditLog for UAL processing.
  • Generate both simple and raw output formats.
  • Maintain current pagination and interval handling.

Determine Function Placement:

  • If the fix takes an extended period, evaluate whether this function should remain a standalone tenant function or be integrated into Start-HawkTenantInvestigation.
  • If integrated, ensure proper sequencing within Start-HawkTenantInvestigation.
  • Handle appropriate error scenarios.
  • Provide progress updates during execution.

Acceptance Criteria

  • Get-HawkTenantUnifiedAuditLog successfully retrieves and processes UAL data.
  • The function generates both simplified and raw output files.
  • Simplified output successfully flattens nested UAL structures.
  • Function maintains current 15-minute interval collection capability.
  • If determined appropriate, the function is successfully integrated into Start-HawkTenantInvestigation.
  • All new output files follow Hawk naming conventions.
  • Error handling matches other Hawk tenant functions.
  • Function documentation updated to reflect changes.

jonnybottles avatar Feb 08 '25 20:02 jonnybottles

This function has been moved into the Hawk-> Internal >WorkInProgress folder as it is not ready for release.

jonnybottles avatar Feb 09 '25 18:02 jonnybottles