Skip to content
This repository has been archived by the owner on Dec 27, 2022. It is now read-only.

Aviary

Latest
Latest
Compare
Choose a tag to compare
@genericdevname genericdevname released this 08 Apr 19:54
· 3 commits to develop since this release
v1.0
a1aac33
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary--a Splunk-base dashboard--facilitates analysis of Sparrow data outputs.

Recognized data sources from Sparrow include*:

  • AppUpdate_Operations_Export.csv
  • AppRoleAssignment_Operations_Export.csv
  • Consent_Operations_Export.csv
  • Domain_List.csv
  • Domain_Operations_Export.csv
  • FileItems_Operations_Export.csv
  • MailItems_Operations_Export.csv
  • PSLogin_Operations_Export.csv
  • PSMailbox_Operations_Export.csv
  • SAMLToken_Operations_Export.csv
  • ServicePrincipal_Operations_Export.csv

    • *Note: All detailed results panels are conditional, they will only appear if there is recognized data to display.

    Directions:

    1. Ingest Sparrow logs (sourcetype=csv)
    2. Import Aviary .xml code into new Dashboard
    3. Point Aviary to Sparrow data using the index and host selection
    4. Review the output.
Assets 4