CISA releases Sparrow, a tool for detecting compromised Azure accounts

With the SolarWinds breach in the headlines, CISA has released a tool designed to help Azure and Microsoft 365 clients detect compromised accounts. Sparrow is a Powershell script that gathers data related to potentially compromised accounts and applications in Azure or Microsoft 365.

Essentially, Sparrow runs checks against the unified audit log to detect potential indicators of compromise (IOCs). Data gathered by the tool is dumped into CSV files for external analysis: this is not a remediation tool, just a data gathering one.

There are existing tools that are in this same space that should also be leveraged where appropriate. HAWK is an “unofficial” Microsoft tool released by a Microsoft Cloud Forensics Consultant that gathers information about a tenant and can also be used to drill down and gather information from specific users within a tenant.

HAWK is straightforward to use, and, like Sparrow, only gathers data. I have no idea if the choice of bird-related tool names is intentional!

CrowdStrike has also released a tool called CRT (CrowdStrike Reporting Tool for Azure). CRT helps find configuration and permission-related issues in Exchange Online and Azure. More information about the history and use of this tool can be found in this CrowdStrike blog post.

Related Posts