The U.S. Cybersecurity & Infrastructure Agency (CISA) has launched a free cybersecurity tool to protect organizations against identity- and authentication-based Microsoft Azure and Office 365 attacks, according to a prepared statement. CISA's cybersecurity tool for Azure and 365 environments is publicly available via GitHub.
CISA's cybersecurity tool was created by its Cloud Forensics team to help incident responders detect possible compromised accounts and applications in Azure and 365 environments, the agency said. Incident responders can use the tool to guard against Azure and 365 attacks in multiple industries.
To use CISA's cybersecurity tool, incident responders must check and install the required PowerShell modules on their analysis machine, the agency indicated. Next, they can check unified audit logs in Azure or 365 for indicators of compromise (IOCs), list Azure Active Directory (AD) domains and review Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity.
CISA's cybersecurity tool also puts its findings into multiple CSV files in a default directory, the agency said. Data provided via the tool is "neither comprehensive nor exhaustive" and is intended to help organizations identify investigation modules and telemetry relating to attacks on their identity sources and applications.
CISA Issues Warning About APT Following SolarWinds Security Incident
Along with launching its cybersecurity tool for Azure and 365 environments, CISA last month released a warning that details the risks associated with advanced persistent threats (APT). The warning was issued following FireEye's discovery that an APT actor has been exploiting SolarWinds Orion software.
In addition, CISA has released recommendations to help organizations remediate risk after the SolarWinds security incident. CISA also has created a Supply Chain Compromise webpage to consolidate all of the resources it has released relating to the incident.