Free tool to check if your Microsoft Azure Active Directory , Office 365 (O365), and Microsoft 365 (M365) environments were hacked

Specialists from Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of a companion dashboard based on the Splunk tool that will help administrators verify security in Microsoft Azure Active Directory, Office 365, and Microsoft 365 environments.

Identify as Aviary, this tool will help analyze the outputs of data generated with the PowerShell-based open source tool known as Sparrow, useful for detecting potentially compromised Azure and Microsoft 365 applications and accounts.

Experts point out that Aviary can be of great help in reviewing the PowerShell logs detected by Sparrow, including login analysis. Administrators can also help investigate the use of PowerShell for users in their environment and examine Azure AD domains.

The following are the main steps to use Aviary:

  • Ingest Sparrow logs (sourcetype s csv)
  • Import Aviary .xml code into a new Control Panel
  • Point Aviary data at Sparrow using index and host selection
  • Review the result. Click any UserId field value to correlate service principal activity

Sparrow’s recognized data sources include:

  • AppUpdate_Operations_Export.csv
  • AppRoleAssignment_Operations_Export.csv
  • Consent_Operations_Export.csv
  • Domain_List.csv
  • Domain_Operations_Export.csv
  • FileItems_Operations_Export.csv
  • MailItems_Operations_Export.csv
  • PSLogin_Operations_Export.csv
  • PSMailbox_Operations_Export.csv
  • SAMLToken_Operations_Export.csv
  • ServicePrincipal_Operations_Export.csv

The Agency recommends that administrators of these deployments use Aviary to perform simple analysis of Sparrow’s output, reviewing the AA21-008A alert about post-compromise malicious activity detection in Microsoft Cloud environments.

A few weeks ago CISA launched CHIRP, a Python-based forensic collection tool to detect signs of malicious activity similar to SolarWinds attacks on Windows operating systems. On the other hand, CrowdStrike launched a Sparrow-like discovery tool called CrowdStrike Reporting Tool for Azure.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.