Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Update Get-HawkTenantUnifiedAuditLog #263

Open
jonnybottles opened this issue Feb 8, 2025 · 1 comment
Open

Feature: Update Get-HawkTenantUnifiedAuditLog #263

jonnybottles opened this issue Feb 8, 2025 · 1 comment
Labels
status/backlog In backlog / validated type/feature New feature or request
Milestone
Phase 4: Non Caps...

Comments

@jonnybottles
Copy link
Collaborator

jonnybottles commented Feb 8, 2025
edited
Loading

What Problem Would This Feature Solve?

Get-HawkTenantUnifiedAuditLog is currently non-functional and does not return results for the Unified Audit Log (UAL). This results in the following issues:

  • The function does not successfully retrieve UAL data, limiting its usefulness.
  • The output lacks the flattened/simplified data format that other Hawk functions provide.
  • Users cannot easily analyze the data in spreadsheet applications due to nested JSON structures.
  • The function isn't integrated into Start-HawkTenantInvestigation, meaning valuable authentication data is missing in standard tenant investigations.

Proposed Solution

  1. Fix Get-HawkTenantUnifiedAuditLog to successfully retrieve and process UAL data.
  2. Update Get-HawkTenantUnifiedAuditLog to use Get-SimpleUnifiedAuditLog for processing UAL data.
  3. Generate both simplified (flattened) and raw output files:
    • Simple_Audit_Log_Full_{date}.csv/.json
    • Audit_Log_Full_{date}.csv/.json
  4. Assess whether this function should be standalone or integrated into Start-HawkTenantInvestigation based on the timeline required to fix functionality.
  5. Maintain the existing 48-hour collection window with 15-minute intervals.

Technical Requirements

Modify Get-HawkTenantUnifiedAuditLog to:

  • Ensure the function properly retrieves UAL data.
  • Use Get-SimpleUnifiedAuditLog for UAL processing.
  • Generate both simple and raw output formats.
  • Maintain current pagination and interval handling.

Determine Function Placement:

  • If the fix takes an extended period, evaluate whether this function should remain a standalone tenant function or be integrated into Start-HawkTenantInvestigation.
  • If integrated, ensure proper sequencing within Start-HawkTenantInvestigation.
  • Handle appropriate error scenarios.
  • Provide progress updates during execution.

Acceptance Criteria

  • Get-HawkTenantUnifiedAuditLog successfully retrieves and processes UAL data.
  • The function generates both simplified and raw output files.
  • Simplified output successfully flattens nested UAL structures.
  • Function maintains current 15-minute interval collection capability.
  • If determined appropriate, the function is successfully integrated into Start-HawkTenantInvestigation.
  • All new output files follow Hawk naming conventions.
  • Error handling matches other Hawk tenant functions.
  • Function documentation updated to reflect changes.
@jonnybottles jonnybottles added status/backlog In backlog / validated type/feature New feature or request labels Feb 8, 2025
@jonnybottles jonnybottles changed the title Feature: Update Get-HawkTenantAuthHistory Feature: Update Get-HawkTenantUnifiedAuditLog Feb 8, 2025
@jonnybottles
Copy link
Collaborator Author

This function has been moved into the Hawk-> Internal >WorkInProgress folder as it is not ready for release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/backlog In backlog / validated type/feature New feature or request
Projects
None yet
Milestone
Phase 4: Non Capstone Project Feature...
Development

No branches or pull requests
1 participant
@jonnybottles