CISA Released a New tool to Help with the Detection of Compromise within Microsoft Azure and Microsoft 365

FBI

The Cybersecurity and Infrastructure Security Agency (CISA) of the United States Department of Homeland Security has introduced a new tool to aid in the identification of possible vulnerability in Microsoft Azure and Microsoft 365 environments.

The new app, dubbed Aviary, is a dashboard that allows users to easily visualise and analyse data from Sparrow, a compromise detection tool that was released in December 2020.

Sparrow can be used by network defenders to search for possible malicious activity within Microsoft Azure Active Directory (AD), Microsoft 365 (M365), and Office 365 (O365) environments. It was created by CISA to aid in the detection of malicious activity related to the SolarWinds compromise.

Sparrow was created to help organisations identify accounts and applications that could have been compromised in their Azure/M365 environment.

Defenders may use Sparrow to detect privilege escalation, detect OAuth consent and users’ consent to applications, identify anomalous SAML token sign-ins, and check the Graph API application permissions for service principals and apps in the environment, among other things.

The newly released Aviary, a Splunk-based dashboard, is designed to make it easier to analyse Sparrow performance data.

The detection tool is now available on GitHub, with instructions on how to instal Aviary after running Sparrow included in CISA’s January announcement, which was updated this week with instructions on using Aviary.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.