Security News > 2021 > April > CISA releases tool to review Microsoft 365 post-compromise activity
Image: CISA. The Cybersecurity and Infrastructure Security Agency has released a companion Splunk-based dashboard that helps review post-compromise activity in Microsoft Azure Active Directory, Office 365, and Microsoft 365 environments.
CISA's new tool, dubbed Aviary, helps security teams visualize and analyze data outputs generated using Sparrow, an open-source PowerShell-based tool for detecting potentially compromised applications and accounts in Azure and Microsoft 365.
CISA encourages network defenders who want to use Aviary for a more straightforward analysis of Sparrow output to review the AA21-008A alert on detecting post-compromise malicious activity in Microsoft Cloud environments.
Last month, CISA released CHIRP, a new Python-based forensics collection tool for detecting signs of SolarWinds hackers' activity on Windows operating systems.
Cybersecurity firm CrowdStrike released a detection tool similar to Sparrow named the CrowdStrike Reporting Tool for Azure.
FireEye also published a free tool dubbed Azure AD Investigator for discovering artifacts indicating malicious activity by the state-backed threat actor behind the SolarWinds supply-chain attack.
News URL
Related news
- CISA shares guidance for Microsoft expanded logging capabilities (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- Threat actors are using legitimate Microsoft feature to compromise M365 accounts (source)
- CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation (source)
- Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm (source)