The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new open-source incident response tool called the ‘Untitled Goose Tool’, which can help detect signs of malicious activity in Microsoft cloud environments. The tool was developed in collaboration with Sandia National Laboratories, a US Department of Energy national laboratory, and is available on GitHub.
The ‘Untitled Goose Tool’ can be used to extract telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. This data can then be used to identify suspicious activity, such as unauthorized logins, unusual file access, and changes to critical settings.
CISA has already used the tool to notify more than 60 entities of early-stage ransomware intrusions since January 2023. The agency also revealed that it has been working with Microsoft to develop additional tools and capabilities to help protect Microsoft cloud environments from malicious activity.
The ‘Untitled Goose Tool’ is a valuable resource for organizations that use Microsoft cloud services. It can help to identify and respond to threats before they cause significant damage. The tool is also open-source, which means that it can be used by organizations of all sizes and budgets.
CISA ‘Untitled Goose Tool’ Features + Download
CISA summarizes the tools capabilities as ideal for:
- It can export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
- It can query, export, and investigate AAD, M365, and Azure configurations.
- It can extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
- It can perform time bounding of the UAL.
- It can extract data within those time bounds.
The tool is also easy to use and can be run by anyone with basic familiarity with Microsoft cloud environments. It is available now on GitHub, and CISA has created a helpful Untitled Goose Tool fact sheet on their website.
