CISA releases open source Untitled Goose Tool to detect malicious activity in Azure, Azure Active Directory and Microsoft 365 environments

The CISA has launched a new security tool designed to help protect various Microsoft cloud services. The open source Untitled Goose Tool is available for both Windows and macOS.

The utility was developed by the US Cybersecurity & Infrastructure Security Agency in conjunction with Sandia National Laboratories. The aim of the tool is to help to detect and respond to malicious activity in Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365) environments.

See also:

• Microsoft fixes serious privacy vulnerability in Windows 11 Snipping Tool... but not for everyone
• Microsoft panics Windows 11 users with 'Local Security Authority protection is off' warning
• Microsoft is changing the release schedule for Windows update previews

Announcing the availability of the utility, the security agency says: "Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services".

Over on the Untitled Goose Tool GitHub repository, the security utility is described as follows:

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The CISA says that the tools can be used by network defenders to:

• Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity
• Query, export, and investigate AAD, M365, and Azure configurations
• Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics
• Perform time bounding of the UAL via goosey graze
• Extract data within those time bounds with goosey honk
• Interrogate and collect data using similar time bounding capabilities for MDE data

More information is available in the Untitled Goose Tool fact sheet.

Image credit: Gelpi / depositphotos