Using Aviary to Analyze Post-Compromise Threat Activity in M365 Environments

Original release date: April 8, 2021

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary—a Splunk-based dashboard—facilitates analysis of Sparrow data outputs.

CISA encourages network defenders wishing to use Aviary to facilitate their analysis of output from Sparrow to review CISA Alert: AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Note: CISA has updated the Sparrow tool section of AA21-008A with instructions on using the Aviary tool.

CISA recommends the following resources for additional information:

• CISA Alert: AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
• CISA Alert: AA21-077A: Detecting Post-Compromise Activity using the CHIRP IOC Detection Tool
• CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365
• CISA web page: Supply Chain Compromise

Source link