FYSA
CISA released "Aviary," a new companion resource to its existing Sparrow
detection tool, which helps partners detect possible compromised accounts and
applications in the Azure/M365 environment. This resource is available on the
CISA GitHub page (Github.com/cisagov/sparrow/releases) with updated
instructions provided within the Sparrow-section of the original alert,
AA21-008A "Detecting Post-Compromise Threat Activity in Microsoft Cloud
Environments<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>.
A current activity report has also been released in conjunction with the Aviary
tool for more information:
https://us-cert.gov/ncas/current-activity/2021/04/08/using-aviary-to-analyze-post-compromise-threat-activity
Aviary provides a user-friendly dashboard to display the output data from the
Sparrow tool. Since its release in late December 2020 (and subsequent updates
in early 2021), Sparrow has focused incident responder's attention on the
narrow scope of user and application activity endemic to identity-and
authentication-based attacks seen recently in multiple sectors. Aviary, a
complementary Splunk-based analysis dashboard, now enables these incident
responders to better display the CSV output data from Sparrow's PowerShell
Script [1].
The development of Aviary is a direct result of the constructive feedback CISA
has received in the last few months. The Aviary dashboard represents an
important upgrade in the user experience, and we feel it will greatly enhance
the efficacy of the Sparrow tool and the data it produces. For organizations
already using a Splunk back end, Aviary is ready to use without adjustments,
with no dependencies on it.
Our hope is the new user experience and easier to understand outputs will help
our partners better understand the steps for detecting and mitigating against
potentially malicious activity in their Azure/M365 environment and prevent the
re-use of similar tactics, techniques, and procedures in the future.
Please contact CISA (via email at
central@xxxxxxxxxxxx<mailto:central@xxxxxxxxxxxx> or by phone at
1-888-282-0870) to report an intrusion or to request either technical
assistance or additional resources for incident response.
Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671 Email:
theresa.masse@xxxxxxxxxxxx<mailto:theresa.masse@xxxxxxxxxxxx>