CISA Releases Tool to Detect Microsoft 365 Compromise
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has released a new tool that aims to help organizations detect a potential compromise to Microsoft 365 and Microsoft Azure. The tool has been named Aviary and includes a dashboard that facilitates the analysis of output from Sparrow, a compromise detection tool released by the agency in December 2020. The tool was ultimately created as a result of the Solar Winds compromise that targeted US agencies, federal entities, and public organizations.
Sparrow is typically utilized by customers to hunt for malicious activity in Microsoft Azure, Microsoft 365, and Office 365 environments. It helps identify accounts and applications that may have been compromised by threat actors. Sparrow helps users check for domain authentication or federal modifications, find new and modified credentials in logs, detect privilege escalation, and other metrics that are typically tell-tale signs of compromise.