Update .gitignore and enhance PowerShell Script Analyzer settings.

Hawk/Hawk.psd1

@@ -1,130 +1,130 @@
-@{
-	# Script module or binary module file associated with this manifest
-	RootModule         = 'Hawk.psm1'
-
-	# Version number of this module.
-	ModuleVersion      = '4.0'
-
-	# ID used to uniquely identify this module
-	GUID               = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
-
-	# Author of this module
-	Author             = 'Paul Navarro, Jonathan Butler, Lorenzo Ireland, Julius Perez'
-
-	# Company or vendor of this module
-	CompanyName        = 'Hawk Forensics'
-
-	# Copyright statement for this module
-	Copyright          = 'Copyright (c) 2025 Paul Navarro'
-
-	# Description of the functionality provided by this module
-	Description        = 'A free, open-source forensics PowerShell module for conducting incident response and threat hunting of Microsoft Cloud environments. Hawk streamlines the collection of forensic data from Microsoft 365 and Entra ID environments to help security professionals, incident responders, and administrators quickly gather critical log data and identify potential security concerns. While it includes basic analysis capabilities to flag items of interest, it focuses on efficient data collection rather than automated detection.'
-
-	# Minimum version of the Windows PowerShell engine required by this module
-	PowerShellVersion  = '5.0'
-
-	# Modules that must be imported into the global environment prior to importing
-	# this module
-	RequiredModules    = @(
-		@{ModuleName = 'PSFramework'; ModuleVersion = '1.12.346' },
-		@{ModuleName = 'PSAppInsights'; ModuleVersion = '0.9.6' },
-		@{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.0.0' },
-		@{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '2.25.0' },
-		@{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '2.25.0' },
-		@{ModuleName = 'Microsoft.Graph.Users'; ModuleVersion = '2.25.0' },
-		@{ModuleName = 'Microsoft.Graph.Applications'; ModuleVersion = '2.25.0' },
-		@{ModuleName = 'Microsoft.Graph.Identity.Signins'; ModuleVersion = '2.25.0' },
-		@{ModuleName = 'Microsoft.Graph.Reports'; ModuleVersion = '2.25.0' }
-	)
-
-	# Assemblies that must be loaded prior to importing this module
-	RequiredAssemblies = @('bin\System.Net.IPNetwork.dll')
-
-	# Type files (.ps1xml) to be loaded when importing this module
-	# TypesToProcess = @('xml\Hawk.Types.ps1xml')
-
-	# Format files (.ps1xml) to be loaded when importing this module
-	# FormatsToProcess = @('xml\Hawk.Format.ps1xml')
-
-	# Functions to export from this module
-	FunctionsToExport  =
-	'Get-HawkTenantConfiguration',
-	'Get-HawkTenantEDiscoveryConfiguration',
-	'Get-HawkTenantConsentGrant',
-	'Get-HawkTenantRBACChange',
-	'Get-HawkTenantEntraIDAppAuditLog',
-	'Get-HawkUserUALSignInLog',
-	'Get-HawkUserConfiguration',
-	'Get-HawkUserEmailForwarding',
-	'Get-HawkUserInboxRule',
-	'Get-HawkUserMailboxAuditing',
-	'Search-HawkTenantActivityByIP',
-	'Get-HawkTenantAdminInboxRuleCreation',
-	'Get-HawkTenantAdminInboxRuleModification',
-	'Get-HawkTenantAdminInboxRuleRemoval',
-	'Get-HawkTenantAdminMailboxPermissionChange',
-	'Get-HawkTenantAdminEmailForwardingChange',
-	'Show-HawkHelp',
-	'Start-HawkTenantInvestigation',
-	'Start-HawkUserInvestigation',
-	'Update-HawkModule',
-	'Get-HawkUserAdminAudit',
-	'Get-HawkMessageHeader',
-	'Get-HawkUserPWNCheck',
-	'Get-HawkUserAutoReply',
-	'Get-HawkUserMessageTrace',
-	'Get-HawkUserMobileDevice',
-	'Get-HawkTenantEntraIDAdmin',
-	'Get-HawkTenantEXOAdmin',
-	'Get-HawkUserMailItemsAccessed',
-	'Get-HawkUserExchangeSearchQuery',
-	'Get-HawkUserMailSendActivity',
-	'Get-HawkTenantAppAndSPNCredentialDetail',
-	'Get-HawkTenantEntraIDUser',
-	'Get-HawkTenantDomainActivity',
-	'Get-HawkTenantEDiscoveryLog',
-	'Get-HawkUserSharePointSearchQuery',
-	'Get-HawkUserEntraIDSignInLog',
-	'Get-HawkTenantEntraIDAuditLog',
-	'Get-HawkTenantRiskyUsers',
-	'Get-HawkTenantRiskDetections'
-	# Cmdlets to export from this module
-	# CmdletsToExport = ''
-
-	# Variables to export from this module
-	# VariablesToExport = ''
-
-	# Aliases to export from this module
-	# AliasesToExport = ''
-
-	# List of all modules packaged with this module
-	ModuleList         = @()
-
-	# List of all files packaged with this module
-	FileList           = @()
-
-	# Private data to pass to the module specified in ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
-	PrivateData        = @{
-
-		#Support for PowerShellGet galleries.
-		PSData = @{
-
-			# Tags applied to this module. These help with module discovery in online galleries.
-			Tags         = @("O365", "Security", "Audit", "Breach", "Investigation", "Exchange", "EXO", "Compliance", "Logon", "M365", "Incident-Response", "Solarigate", "EntraID", "Entra", "Osprey", "Azure", "Forensics", "Office365", "IncidentResponse")
-
-			# A URL to the license for this module.
-			LicenseUri   = 'https://github.com/T0pCyber/hawk/blob/master/LICENSE'
-
-			# A URL to the main website for this project.
-			ProjectUri   = 'https://github.com/T0pCyber/Hawk'
-
-			# A URL to an icon representing this module.
-			IconUri      = 'https://i.ibb.co/XXH4500/Hawk.png'
-
-			# ReleaseNotes of this module
-			ReleaseNotes = 'https://github.com/T0pCyber/hawk/blob/master/Hawk/changelog.md'
-
-		} # End of PSData hashtable
-
-	} # End of PrivateData hashtable
+@{
+    # Script module or binary module file associated with this manifest
+    RootModule = 'Hawk.psm1'
+
+    # Version number of this module.
+    ModuleVersion = '4.0'
+
+    # ID used to uniquely identify this module
+    GUID = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
+
+    # Author of this module
+    Author = 'Paul Navarro, Jonathan Butler, Lorenzo Ireland, Julius Perez'
+
+    # Company or vendor of this module
+    CompanyName = 'Hawk Forensics'
+
+    # Copyright statement for this module
+    Copyright = 'Copyright (c) 2025 Paul Navarro'
+
+    # Description of the functionality provided by this module
+    Description = 'A free, open-source forensics PowerShell module for conducting incident response and threat hunting of Microsoft Cloud environments. Hawk streamlines the collection of forensic data from Microsoft 365 and Entra ID environments to help security professionals, incident responders, and administrators quickly gather critical log data and identify potential security concerns. While it includes basic analysis capabilities to flag items of interest, it focuses on efficient data collection rather than automated detection.'
+
+    # Minimum version of the Windows PowerShell engine required by this module
+    PowerShellVersion = '5.0'
+
+    # Modules that must be imported into the global environment prior to importing
+    # this module
+    RequiredModules = @(
+        @{ModuleName = 'PSFramework'; ModuleVersion = '1.12.346' },
+        @{ModuleName = 'PSAppInsights'; ModuleVersion = '0.9.6' },
+        @{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.0.0' },
+        @{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '2.25.0' },
+        @{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '2.25.0' },
+        @{ModuleName = 'Microsoft.Graph.Users'; ModuleVersion = '2.25.0' },
+        @{ModuleName = 'Microsoft.Graph.Applications'; ModuleVersion = '2.25.0' },
+        @{ModuleName = 'Microsoft.Graph.Identity.Signins'; ModuleVersion = '2.25.0' },
+        @{ModuleName = 'Microsoft.Graph.Reports'; ModuleVersion = '2.25.0' }
+    )
+
+    # Assemblies that must be loaded prior to importing this module
+    RequiredAssemblies = @('bin\System.Net.IPNetwork.dll')
+
+    # Type files (.ps1xml) to be loaded when importing this module
+    # TypesToProcess = @('xml\Hawk.Types.ps1xml')
+
+    # Format files (.ps1xml) to be loaded when importing this module
+    # FormatsToProcess = @('xml\Hawk.Format.ps1xml')
+
+    # Functions to export from this module
+    FunctionsToExport =
+    'Get-HawkTenantConfiguration',
+    'Get-HawkTenantEDiscoveryConfiguration',
+    'Get-HawkTenantConsentGrant',
+    'Get-HawkTenantRBACChange',
+    'Get-HawkTenantEntraIDAppAuditLog',
+    'Get-HawkUserUALSignInLog',
+    'Get-HawkUserConfiguration',
+    'Get-HawkUserEmailForwarding',
+    'Get-HawkUserInboxRule',
+    'Get-HawkUserMailboxAuditing',
+    'Search-HawkTenantActivityByIP',
+    'Get-HawkTenantAdminInboxRuleCreation',
+    'Get-HawkTenantAdminInboxRuleModification',
+    'Get-HawkTenantAdminInboxRuleRemoval',
+    'Get-HawkTenantAdminMailboxPermissionChange',
+    'Get-HawkTenantAdminEmailForwardingChange',
+    'Show-HawkHelp',
+    'Start-HawkTenantInvestigation',
+    'Start-HawkUserInvestigation',
+    'Update-HawkModule',
+    'Get-HawkUserAdminAudit',
+    'Get-HawkMessageHeader',
+    'Get-HawkUserPWNCheck',
+    'Get-HawkUserAutoReply',
+    'Get-HawkUserMessageTrace',
+    'Get-HawkUserMobileDevice',
+    'Get-HawkTenantEntraIDAdmin',
+    'Get-HawkTenantEXOAdmin',
+    'Get-HawkUserMailItemsAccessed',
+    'Get-HawkUserExchangeSearchQuery',
+    'Get-HawkUserMailSendActivity',
+    'Get-HawkTenantAppAndSPNCredentialDetail',
+    'Get-HawkTenantEntraIDUser',
+    'Get-HawkTenantDomainActivity',
+    'Get-HawkTenantEDiscoveryLog',
+    'Get-HawkUserSharePointSearchQuery',
+    'Get-HawkUserEntraIDSignInLog',
+    'Get-HawkTenantEntraIDAuditLog',
+    'Get-HawkTenantRiskyUsers',
+    'Get-HawkTenantRiskDetections'
+    # Cmdlets to export from this module
+    # CmdletsToExport = ''
+
+    # Variables to export from this module
+    # VariablesToExport = ''
+
+    # Aliases to export from this module
+    # AliasesToExport = ''
+
+    # List of all modules packaged with this module
+    ModuleList = @()
+
+    # List of all files packaged with this module
+    FileList = @()
+
+    # Private data to pass to the module specified in ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+    PrivateData = @{
+
+        #Support for PowerShellGet galleries.
+        PSData = @{
+
+            # Tags applied to this module. These help with module discovery in online galleries.
+            Tags = @("O365", "Security", "Audit", "Breach", "Investigation", "Exchange", "EXO", "Compliance", "Logon", "M365", "Incident-Response", "Solarigate", "EntraID", "Entra", "Osprey", "Azure", "Forensics", "Office365", "IncidentResponse")
+
+            # A URL to the license for this module.
+            LicenseUri = 'https://github.com/T0pCyber/hawk/blob/master/LICENSE'
+
+            # A URL to the main website for this project.
+            ProjectUri = 'https://github.com/T0pCyber/Hawk'
+
+            # A URL to an icon representing this module.
+            IconUri = 'https://i.ibb.co/XXH4500/Hawk.png'
+
+            # ReleaseNotes of this module
+            ReleaseNotes = 'https://github.com/T0pCyber/hawk/blob/master/Hawk/changelog.md'
+
+        } # End of PSData hashtable
+
+    } # End of PrivateData hashtable
 }

Hawk/Hawk.psm1

@@ -21,7 +21,7 @@ if ("<was not compiled>" -eq '<was not compiled>') { $importIndividualFiles = $t
 
 function Import-ModuleFile
 {
-	<#
+    <#
 		.SYNOPSIS
 			Loads files into the module on module import.
 
@@ -39,44 +39,46 @@ function Import-ModuleFile
 
 			Imports the file stored in $function according to import policy
 	#>
-	[CmdletBinding()]
-	Param (
-		[string]
-		$Path
-	)
-
-	$resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
-	if ($doDotSource) { . $resolvedPath }
-	else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }
+    [CmdletBinding()]
+    Param (
+        [string]
+        $Path
+    )
+
+    $resolvedPath = $ExecutionContext.SessionState.Path.GetResolvedPSPathFromPSPath($Path).ProviderPath
+    if ($doDotSource) { . $resolvedPath }
+    else { $ExecutionContext.InvokeCommand.InvokeScript($false, ([scriptblock]::Create([io.file]::ReadAllText($resolvedPath))), $null, $null) }
 }
 
 #region Load individual files
 if ($importIndividualFiles)
 {
-	# Execute Preimport actions
-	foreach ($path in (& "$ModuleRoot\internal\scripts\preimport.ps1")) {
-		. Import-ModuleFile -Path $path
-	}
-
-	# Import all internal functions
-	foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
-	{
-		. Import-ModuleFile -Path $function.FullName
-	}
-
-	# Import all public functions
-	foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
-	{
-		. Import-ModuleFile -Path $function.FullName
-	}
-
-	# Execute Postimport actions
-	foreach ($path in (& "$ModuleRoot\internal\scripts\postimport.ps1")) {
-		. Import-ModuleFile -Path $path
-	}
-
-	# End it here, do not load compiled code below
-	return
+    # Execute Preimport actions
+    foreach ($path in (& "$ModuleRoot\internal\scripts\preimport.ps1"))
+    {
+        . Import-ModuleFile -Path $path
+    }
+
+    # Import all internal functions
+    foreach ($function in (Get-ChildItem "$ModuleRoot\internal\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
+    {
+        . Import-ModuleFile -Path $function.FullName
+    }
+
+    # Import all public functions
+    foreach ($function in (Get-ChildItem "$ModuleRoot\functions" -Filter "*.ps1" -Recurse -ErrorAction Ignore))
+    {
+        . Import-ModuleFile -Path $function.FullName
+    }
+
+    # Execute Postimport actions
+    foreach ($path in (& "$ModuleRoot\internal\scripts\postimport.ps1"))
+    {
+        . Import-ModuleFile -Path $path
+    }
+
+    # End it here, do not load compiled code below
+    return
 }
 #endregion Load individual files
 

Hawk/en-us/strings.psd1

@@ -1,5 +1,5 @@
 # This is where the strings go, that are written by
 # Write-PSFMessage, Stop-PSFFunction or the PSFramework validation scriptblocks
 @{
-	'key' = 'Value'
+    'key' = 'Value'
 }

Hawk/functions/General/Show-HawkHelp.ps1

@@ -13,7 +13,8 @@
 .NOTES
     General notes
 #>
-Function Show-HawkHelp {
+Function Show-HawkHelp
+{
 
     Out-LogFile "Creating Hawk Help File"