Overview
The US Cybersecurity and Infrastructure Security Agency (CISA) gave Azure/M365 admins a late December present. GitHub - cisagov/Sparrow. The purpose is to look for known Advanced Persistent Threat indicators in Azure/Microsoft 365.
Here is a bit of background looking at what the script does and does not do. I will leave out analysis of the code used, as they may evolve. Please look at the source on GitHub.
Sparrow.ps1 looks primarily at AzureAD Service Principals of type: Application and MS Graph and at the Unified Audit Log.
If you have a suspect Azure AppID, and you have M365 E5/G5 (or a plan that tracks the MailItemsAccessed operation in the Unified Audit Log) this AppID can be supplied, and an export of the mail items accessed by the suspect AppID will be logged as an operation within this script.
What is this script checking?
VERBOSE: Searching for 'Set domain authentication' and 'Set federation settings on domain' operations in the UAL.VERBOSE: Searching for 'Update application' and 'Update application ? Certificates and secrets management' in the UAL.VERBOSE: Searching for 'Update service principal' and 'Add service principal credentials' in the UAL.VERBOSE: Searching for 'Add app role assignment to service principal', 'Add app role assignment grant to user', and'Add app role assignment to group' in the UAL.VERBOSE: Searching for 'Add OAuth2PermissionGrant' and 'Consent to application' in the UAL.VERBOSE: Searching for 16457 in UserLoggedIn and UserLoginFailed operations in the UAL.VERBOSE: Searching for PowerShell logins into mailboxes in the UAL.VERBOSE: Searching for PowerShell logins using known PS application ids in the UAL.