The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
Link to the GitHub page is here
Hawk is divided into two primary forms of cmdlets; user based Cmdlets and tenant based cmdlets.
User based cmdlets take the form Verb-HawkUser. They all expect a -user switch and will retrieve information specific to the user that is specified. Tenant based cmdlets take the form Verb-HawkTenant. They don’t need any switches and will return information about the whole tenant.
A good starting place is the Start-HawkTenantInvestigation this will run all the tenant based cmdlets and provide a collection of data to start with. Once this data has been reviewed if there are specific user(s) that more information should be gathered on Start-HawkUserInvestigation will gather all the User specific information for a single user.
All Hawk cmdlets include help that provides an overview of the data they gather and a listing of all possible output files. Run Get-Help -full to see the full help output for a given Hawk cmdlet.
Some of the Hawk cmdlets will flag results that should be further reviewed. These will appear in _Investigate files. These are NOT indicative of unwanted activity but are simply things that should reviewed.