The Cybersecurity & Infrastructure Security Agency (CISA) has released a free incident response tool against malicious activity, focusing mainly on identity access and authentication. Project “Sparrow.ps1” was created by the CISA’s Cloud Forensics Team to help detect compromised user accounts and/or applications in the Azure or Microsoft 365 environments. It is essentially a PowerShell script that scans for indicators of compromise (permissions, domains), and outputs the data into .csv files for analysis. It has been released on Github as an open-source project, which you can find here. Given that the government sector has been considerably impacted by the SolarWinds breach, this project is primarily comparing input against those IoCs.The CISA warns that this tool should not be a replacement of intrusion detection systems and is limited to federal identity systems and applications.
For Sparrow to function, it requires three (3) PowerShell modules: CloudConnect, AzureAD, and MSOnline. See required permissions below:
· Azure Active Directory:
· Security Reader
· Security and Compliance Center:
· Compliance Administrator
· Exchange Online Admin Center: Utilize a custom group for these specific permissions:
· Mail Recipients
· Security Group Creation and Membership
· User options
· View-Only Audit log
· View-Only Configuration
· View-Only Recipients
Are you worried your systems have been compromised? We offer a multitude of services from Emergency Incident Response (IR) to SEQ|OPS 24x7x365 threat monitoring. If you would like additional information, fill out our Contact form or call 248.285.9059 in case of an emergency.