The U.S. Cybersecurity & Infrastructure Security Agency (CISA) introduced an open-source incident response tool called the "Untitled Goose Tool" to detect hacking activity in Microsoft cloud environments.
The agency developed this tool with Sandia National Laboratories,
a research and development laboratory which is part of the United
States Department of Energy's National Nuclear Security Administration.
- The
"Untitled Goose Tool" was created to help network defenders detect
malicious activity in Microsoft Azure, Azure Active Directory, and
Microsoft 365 environments.
- Network
defenders can leverage the tool's novel authentication and
data-gathering methods to interrogate and analyze their Microsoft cloud
services.
- Users can perform the following tasks with the new tool:
- Export
and review AAD sign-in and audit logs, M365 unified audit log (UAL),
Azure activity logs, Microsoft Defender for IoT (internet of things)
alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious
activity.
- Query, export, and investigate AAD, M365, and Azure configurations.
- Extract cloud artifacts from Microsoft's AAD, Azure, and M365 environments without performing additional analytics.
- Perform time bounding of the UAL.
- Extract data within those time bounds.
- Collect and review data using similar time-bounding capabilities for MDE data.
