Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CF-4: Multi-Domain Investigations #186

Open
jonnybottles opened this issue Dec 12, 2024 · 0 comments
Open

CF-4: Multi-Domain Investigations #186

jonnybottles opened this issue Dec 12, 2024 · 0 comments
Assignees
@jonnybottles
Labels
status/backlog In backlog / validated type/feature New feature or request type/gaant Used for Gaant Visualization
Milestone
Sprint 2: Capabil...

Comments

@jonnybottles
Copy link
Collaborator

jonnybottles commented Dec 12, 2024
edited
Loading

What problem would this feature solve?

Currently, when running Hawk in a multi-domain environment, investigations automatically target the default domain without allowing users to select which domain to investigate. This limits the tool's utility in multi-domain environments and makes it difficult to conduct targeted investigations for specific domains.

Proposed Solution

When starting an investigation using either Start-HawkUserInvestigation or Start-HawkTenantInvestigation, if multiple domains are detected, present an interactive menu allowing users to select which domain to investigate. The selected domain will be used for the investigation scope and output folder naming.

⚙️ Developer Section (For Hawk Team Members Only)

Technical Requirements

Domain Enumeration:

  • Use Get-MgDomain to retrieve a list of all available domains in the tenant.
  • Filter for verified domains only.
  • Sort domains alphabetically for display.

Interactive Selection:

  • Display a numbered list of available domains.
  • Clearly indicate which domain is the default domain.
  • Allow single domain selection only.
  • Validate user input to ensure a valid selection.
  • Handle cancel/exit actions gracefully.

Folder Naming:

  • Update the output folder naming convention to:
    Hawk_[domain_name]_YYYYMMDD_HHMM
  • Remove special characters from the domain name for folder name compatibility.
  • Handle potential naming collisions.
  • Ensure the folder name is valid across operating systems.

Domain Usage:

  • Pass the selected domain to appropriate investigation functions.
  • Ensure domain selection persists only for the current investigation.
  • Clear the domain selection after the investigation completes.

Implementation Approach

  1. Create New Function: Get-HawkDomainSelection

    • Use the Microsoft Graph API to retrieve domains.
    • Format and display the domain list in a numbered format.
    • Handle user input and validate the selection.
    • Return the selected domain.

  2. Modify Initialize-HawkGlobalObject:

    • Add a domain selection call before the output folder creation process.
    • Update folder naming logic to include the selected domain.
    • Add a Domain property to the Hawk global object.
    • Ensure domain selection doesn't persist across multiple runs.

  3. Integration Points:

    • Add domain selection after authentication but before the investigation starts.
    • Handle errors gracefully without breaking existing functionality.
    • Ensure proper cleanup of the domain selection to avoid persistence issues.

  4. Skip Domain Selection If:

    • Only one domain exists in the tenant.
    • A domain is specified via command line (handled by the UI-1 ticket).

Acceptance Criteria

  • When multiple domains exist, the user is presented with an interactive domain selection menu.
  • The selected domain is used consistently throughout the investigation process.
  • The output folder follows the new naming convention:
    Hawk_[domain_name]_YYYYMMDD_HHMM
  • The selection process works in both Start-HawkUserInvestigation and Start-HawkTenantInvestigation.
  • The tool functions normally for single-domain tenants without prompts.
  • The domain selection is cleared after the investigation completes.
  • Users can easily identify the default domain in the selection list.
  • Invalid selections are handled gracefully.
  • The domain selection prompt is clear, user-friendly, and informative.
  • Help documentation is updated to reflect the new domain selection capability.

Dependencies

  • Microsoft Graph API access.
  • UI-1 ticket for command-line parameter implementation.
  • Current folder naming implementation.

Risks

  • Potential impact on existing automation if folder naming conventions change.
  • The need to handle invalid domain selections gracefully.
  • Ensuring backward compatibility with existing investigation outputs.

Notes

  • The command-line parameter for domain selection will be handled by the UI-1 ticket.
  • Only single domain selection will be supported.
  • The default domain should be clearly marked in the selection menu.
  • Consider adding the selected domain name to log files for improved clarity.
@jonnybottles jonnybottles added type/feature New feature or request status/backlog In backlog / validated type/gaant Used for Gaant Visualization labels Dec 12, 2024
@jonnybottles jonnybottles self-assigned this Jan 4, 2025
@jonnybottles jonnybottles mentioned this issue Jan 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonnybottles jonnybottles

Labels
status/backlog In backlog / validated type/feature New feature or request type/gaant Used for Gaant Visualization
Projects
None yet
Milestone
Sprint 2: Capability Enhancement
Development

No branches or pull requests
1 participant
@jonnybottles