The U.S. Cybersecurity and Infrastructure Security Agency has released the Untitled Goose Tool, a free tool designed to help network defenders detect malicious activity in Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365) environments.
According to CISA, the Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they analyze their Microsoft cloud services for threats.
The agency says the tool can help security professionals export and review AAD sing-in and audit logs, M365 unified audit log, Azure activity logs, Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint data for suspicious activity.
In addition, the tool can query, export and investigate configurations; extract cloud artifacts from AAD, Azure and M365 environments; perform time bounding of the M365 unified audit log; extract data within those time bounds; and collect and review data using similar time bounding capabilities for Defender for Endpoint.
The tool was developed by CISA with support from Sandia National Laboratories.
CISA calls the Untitled Goose Tool a “robust and flexible hunt and incident response tool” that helps defenders gather data from a large M365 tenant. It requires Python 3.7, 3.8 or 3.9, and is best used within a virtual environment, the agency says.
To learn more, read the fact sheet and visit the Untitled Goose Tool GitHub repository.
