Skip to content
This repository has been archived by the owner on Dec 27, 2022. It is now read-only.

Releases: cisagov/Sparrow

Aviary

08 Apr 19:54
a1aac33
Compare
Choose a tag to compare

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary--a Splunk-base dashboard--facilitates analysis of Sparrow data outputs.

Recognized data sources from Sparrow include*:

  • AppUpdate_Operations_Export.csv
  • AppRoleAssignment_Operations_Export.csv
  • Consent_Operations_Export.csv
  • Domain_List.csv
  • Domain_Operations_Export.csv
  • FileItems_Operations_Export.csv
  • MailItems_Operations_Export.csv
  • PSLogin_Operations_Export.csv
  • PSMailbox_Operations_Export.csv
  • SAMLToken_Operations_Export.csv
  • ServicePrincipal_Operations_Export.csv

  • *Note: All detailed results panels are conditional, they will only appear if there is recognized data to display.

    Directions:

    1. Ingest Sparrow logs (sourcetype=csv)
    2. Import Aviary .xml code into new Dashboard
    3. Point Aviary to Sparrow data using the index and host selection
    4. Review the output.