Skip to content
This repository has been archived by the owner on Dec 27, 2022. It is now read-only.

Aviary

Latest
Compare
Choose a tag to compare
@genericdevname genericdevname released this 08 Apr 19:54
· 3 commits to develop since this release
a1aac33

Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary--a Splunk-base dashboard--facilitates analysis of Sparrow data outputs.

Recognized data sources from Sparrow include*:

  • AppUpdate_Operations_Export.csv
  • AppRoleAssignment_Operations_Export.csv
  • Consent_Operations_Export.csv
  • Domain_List.csv
  • Domain_Operations_Export.csv
  • FileItems_Operations_Export.csv
  • MailItems_Operations_Export.csv
  • PSLogin_Operations_Export.csv
  • PSMailbox_Operations_Export.csv
  • SAMLToken_Operations_Export.csv
  • ServicePrincipal_Operations_Export.csv

  • *Note: All detailed results panels are conditional, they will only appear if there is recognized data to display.

    Directions:

    1. Ingest Sparrow logs (sourcetype=csv)
    2. Import Aviary .xml code into new Dashboard
    3. Point Aviary to Sparrow data using the index and host selection
    4. Review the output.