CISA has released a Splunk-based dashboard, dubbed Aviary, that could be used by administrators in the post-compromise analysis of Microsoft AAD,O365,M365. This can be used to visualise and analyse data produced by an open source PowerShell tool used bt defenders known to be sparrow

Sparrow checks and installs the required PowerShell modules on the machine to analyze, then checks the unified audit log in Azure/M365 for certain IoC’s, lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool provides in outputs the data into multiple CSV files that are located in the user’s default home directory in a folder called ‘ExportDir’ (ie: Desktop/ExportDir).

Aviary is able to analyze the following sources from Sparrow include:

  • AppUpdate_Operations_Export.csv
  • AppRoleAssignment_Operations_Export.csv
  • Consent_Operations_Export.csv
  • Domain_List.csv
  • Domain_Operations_Export.csv
  • FileItems_Operations_Export.csv
  • MailItems_Operations_Export.csv
  • PSLogin_Operations_Export.csv
  • PSMailbox_Operations_Export.csv
  • SAMLToken_Operations_Export.csv
  • ServicePrincipal_Operations_Export.csv

Below the step-by-step procedure to use Aviary:

  • Ingest Sparrow logs (sourcetype=csv)
  • Import Aviary .xml code into new Dashboard
  • Point Aviary to Sparrow data using the index and host selection
  • Review the output.

This comes after CHIRP tool released last month by CISA for hunting threats.