{"id":1553,"date":"2021-04-09T17:55:31","date_gmt":"2021-04-09T12:25:31","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=1553"},"modified":"2021-06-07T11:16:11","modified_gmt":"2021-06-07T05:46:11","slug":"cisa-launched-new-tool-to-examine-microsoft-compromise-activity","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/","title":{"rendered":"CISA Launched New Tool to Examine Microsoft Compromise Activity!"},"content":{"rendered":"\n<p><p style=\"text-align: justify\">Cybersecurity and Infrastructure Security Agency has released a campaign which was based on the dashboard that assists while reviewing the post that compromises the activity present in Microsoft Azure Active Directory and Office 365.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify\">Although Aviary assists the security teams by visualizing and analyzing the data outputs that were created with the help of Sparrow. It is an open-source PowerShell-based tool that is capable to identifies the potentially compromised applications and the accounts present or associated with Azure or Microsoft 365.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"700\" height=\"368\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-featured-image-2-1.jpg\" alt=\"\" class=\"wp-image-1564\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-featured-image-2-1.jpg 700w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-featured-image-2-1-300x158.jpg 300w\" sizes=\"(max-width: 700px) 100vw, 700px\" \/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify\">However, Sparrow was crafted to defends the hunt-down threat activity after the <a href=\"https:\/\/xiarch.com\/blog\/solarwinds-attackers-steal-source-code-from-microsoft-azure-exchange\/\" target=\"_blank\" rel=\"noreferrer noopener\">Solar Winds Orion<\/a> supply chain attack has happened. Aviary is helping by reviewing the PowerShell commands that exports by the Sparrow, which deals with analyzing the PowerShell mailbox sing-ins and to verify the logins details are authorized or not.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify\">It also capable to investigate the PowerShell usage for the users in the PowerShell environment and it also examines the Sparrow listed tenant Azure AD domains that can be modified.<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"944\" height=\"114\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-image.png\" alt=\"CISA Launched New Tool to Examine Microsoft Compromise Activity!\" class=\"wp-image-1554\" srcset=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-image.png 944w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-image-300x36.png 300w, https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-image-768x93.png 768w\" sizes=\"(max-width: 944px) 100vw, 944px\" \/><\/figure><\/div>\n\n\n\n<p>Now the question that arises in your mind is how to use the Aviary? For this read the upcoming section respectively.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to Access Aviary?<\/strong><\/h2>\n\n\n\n<p>While working with Aviary user had to execute the following steps that include;<\/p>\n\n\n\n<ul><li>Ingest Sparrow logs (sourcetype=csv)<\/li><li>Import Aviary .xml code into dashboard<\/li><li>Point the Aviary to Sparrow data with the help of index and host selection<\/li><li>After that, Review the output by click on any UserId field value that is related to the activity of the Service Principal<\/li><\/ul>\n\n\n\n<p>Now moving to the next section to know how to recognize the data from the Sparrow?<\/p>\n\n\n\n<ul><li>AppUpdate_Operations_Export.csv<\/li><li>AppRoleAssignment)_Operations_Export.csv<\/li><li>Consent_Operations_Export.csv<\/li><li>Domain_List.csv<\/li><li>Domain_Operations_Export.csv<\/li><li>FileItems_Operations_Export.csv<\/li><li>MailItems_Operations_Export.csv<\/li><li>PSLogin_Operations_Export.csv<\/li><li>PSMailbox_Operations_Export.csv<\/li><li>SAMLToken_Opertations_Export.csv<\/li><li>ServicePrincipal_Operations_Export.csv<\/li><\/ul>\n\n\n\n<p><p style=\"text-align: justify\">The CISA encourages the network defenders who wanted to access the Aviary for a more straightforward output of the Sparrow while reviewing the AA21-008A alert that detects post-compromise activities present Microsoft Cloud Environment.<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>New Tools that Detect Malicious Activity&nbsp;<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify\">In March, Cybersecurity and Infrastructure Security Agency launch another program named CHIRP which tends for CISA Hunt and Incident Response Program. CHIRP is a Python-based forensics collection tool that detects the signs of SolarWinds hackers on the Windows OS.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify\">Whereas, CrowdStrike assists the administrators by analyzing the Azure environment and get more access to the overview of what the privileges are assigned to the third-party resellers and partners.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify\">FireEye also published a free tool dubbed the Azure AD Investigator that discovered the clues that indicate the other malicious activities by the state-backed actor that was behind the SolarWinds supply-chain attack.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify\">However, these tools are developed and available for the users, after that the Microsoft disclosed how the stolen credentials have accessed the tokens by using the attacks that target the Azure users.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity and Infrastructure Security Agency has released a campaign which was based on the dashboard that assists while reviewing the post that compromises the activity present in Microsoft Azure Active Directory and Office 365. Although Aviary assists the security teams by visualizing and analyzing the data outputs that were created with the help of Sparrow. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1558,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,6],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Cybersecurity and Infrastructure Security Agency has released a campaign which was based on the dashboard that assists while reviewing the post that compromises the activity present in Microsoft Azure Active Directory and Office 365. Although Aviary assists the security teams by visualizing and analyzing the data outputs that were created with the help of Sparrow. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-09T12:25:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-07T05:46:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-featured-image-2-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"520\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"CISA Launched New Tool to Examine Microsoft Compromise Activity!\",\"datePublished\":\"2021-04-09T12:25:31+00:00\",\"dateModified\":\"2021-06-07T05:46:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\"},\"wordCount\":487,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Consulting\",\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\",\"url\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\",\"name\":\"CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-04-09T12:25:31+00:00\",\"dateModified\":\"2021-06-07T05:46:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISA Launched New Tool to Examine Microsoft Compromise Activity!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/","og_locale":"en_US","og_type":"article","og_title":"CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited","og_description":"Cybersecurity and Infrastructure Security Agency has released a campaign which was based on the dashboard that assists while reviewing the post that compromises the activity present in Microsoft Azure Active Directory and Office 365. Although Aviary assists the security teams by visualizing and analyzing the data outputs that were created with the help of Sparrow. [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-04-09T12:25:31+00:00","article_modified_time":"2021-06-07T05:46:11+00:00","og_image":[{"width":1000,"height":520,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/04\/cisa-released-tool-to-contol-microsoft-attacks-featured-image-2-1.png","type":"image\/png"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"CISA Launched New Tool to Examine Microsoft Compromise Activity!","datePublished":"2021-04-09T12:25:31+00:00","dateModified":"2021-06-07T05:46:11+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/"},"wordCount":487,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Consulting","Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/","url":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/","name":"CISA Launched New Tool to Examine Microsoft Compromise Activity! - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-04-09T12:25:31+00:00","dateModified":"2021-06-07T05:46:11+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/cisa-launched-new-tool-to-examine-microsoft-compromise-activity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"CISA Launched New Tool to Examine Microsoft Compromise Activity!"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/1553"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=1553"}],"version-history":[{"count":4,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/1553\/revisions"}],"predecessor-version":[{"id":1565,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/1553\/revisions\/1565"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/1558"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=1553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=1553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=1553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}