CISA Activity - Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments

  • Welcome to ITBible, we're your #1 resource for enterprise or homelab IT problems (or just a place to show off your stuff).
C

CISA

Guest
Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services. The tool enables users to:

  • Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
  • Query, export, and investigate AAD, M365, and Azure configurations.
  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
  • Perform time bounding of the UAL.
  • Extract data within those time bounds.
  • Collect and review data using similar time bounding capabilities for MDE data.

Untitled Goose Tool was developed by CISA with support from Sandia National Laboratories. The tool is freely available on the Untitled Goose Tool GitHub repository.

Continue reading...