CISA, in coordination with Sandia National Laboratories, released a free, open-source hunt and incident response tool, known as Untitled Goose to the CISA GitHub Repository in March. Untitled Goose Tool adds novel authentication and data gathering methods to help network defenders analyze Microsoft cloud services and detect potentially malicious activity in Microsoft Azure, Active Directory (AAD), and Microsoft 365 (M365) environments. Users can run Untitled Goose Tool once, as a snapshot in time, or routinely. For certain log types, the tool will pick up from the last time it was executed.
CISA advises users to employ Untitled Goose Tool to:
- Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
- Query, export, and investigate AAD, M365, and Azure configurations.
The repository has already garnered over 23,000 unique visitors and received 668 stars from the community. CISA welcomes user contributions to add new features or further build out the tool via the Untitled Goose Tool GitHub Repository.