Giters

cisagov / Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

"An error occurred" Generic error when running this script.

ChelanPUD opened this issue · comments

commented

Thank you for your work on this tool. I was pointed this direction from E-ISAC. I had no issues running the crowdstrike reporting tool, but sparrow is giving me trouble.

🐛 Summary

What's wrong? Please be specific.
Running sparrow.ps1 - I get prompted for azure cloud instance and exchange instance, I get prompted for username/password and MFA, it accepts and moves on listing the modules and asking if I have an E5 license, I respond yes. Would I like to investigate a certain application, no. It starts listing its verbose steps, getting to: "VERBOSE: Searching for PowerShell logins using known PS application ID's in the UAL. Then 'Warning, result set may have been truncated; narrow start/end date.'.

It prompts me for my credentials again, my MFA, I enter them and get this error:
"
An error occurred

An error occurred. Contact your administrator for more information.

Error details
•Activity ID: 987bf970-392b-4293-a91c-f2c891eb61a1
•Error time: Fri, 08 Jan 2021 18:11:08 GMT
•Cookie: enabled
•User agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)
"

To reproduce

Steps to reproduce the behavior:

  1. Listed in detail above

Expected behavior

I am expecting it to pass authentication like it does after the first request.

Any helpful log output or screenshots

Paste the results here:

An error occurred 

An error occurred. Contact your administrator for more information. 



Error details
•Activity ID: 987bf970-392b-4293-a91c-f2c891eb61a1
•Error time: Fri, 08 Jan 2021 18:11:08 GMT
•Cookie: enabled
•User agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E)

Add any screenshots of the problem here.

commented

You might need to reduce the following line (7):

[datetime] $StartDate = [DateTime]::UtcNow.AddDays(-364)

To a lower number such as:

[datetime] $StartDate = [DateTime]::UtcNow.AddDays(-90)

Can you please try this and let us know how it works?

commented

Hello, we have not heard back from you regarding this issue. If no response is given within three days, I will go ahead and close out this issue.

commented

Hello - apologies. I was able to resolve the issue but not with the suggestion above. We are in GCC low and I thought maybe we'd need to pick the gov cloud or one of the others (in the beginning) but I found if I just chose the o365 and azure defaults then the script runs successfully.

Thank you - hopefully that helps provide some context.