This repository has been archived by the owner on Dec 27, 2022. It is now read-only.
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020. Sparrow helps network defenders detect possible compromised accounts and applications in Azure/Microsoft O365 environments. CISA created Sparrow to support hunts for threat activity following the SolarWinds compromise. Aviary--a Splunk-base dashboard--facilitates analysis of Sparrow data outputs.
Recognized data sources from Sparrow include*:
- AppUpdate_Operations_Export.csv
- AppRoleAssignment_Operations_Export.csv
- Consent_Operations_Export.csv
- Domain_List.csv
- Domain_Operations_Export.csv
- FileItems_Operations_Export.csv
- MailItems_Operations_Export.csv
- PSLogin_Operations_Export.csv
- PSMailbox_Operations_Export.csv
- SAMLToken_Operations_Export.csv
- ServicePrincipal_Operations_Export.csv
- Ingest Sparrow logs (sourcetype=csv)
- Import Aviary .xml code into new Dashboard
- Point Aviary to Sparrow data using the index and host selection
- Review the output.
*Note: All detailed results panels are conditional, they will only appear if there is recognized data to display.