May 2, 2024

The U.S. CISA released free post-incident hunting tools for organizations using Microsoft Azure, Azure Active Directory, and Microsoft 365 applications.

The tool was built by CISA and Sandia National Laboratories, and the exact reason for these government agencies to build a free log-hunting tool for Microsoft Azure, Azure Active Directory, and Microsoft 365 services wasn’t explained.

Advertisements

The tool called Untitled Goose Tool pulls log information from these Microsoft services, as well as Microsoft Defender alerts info. The information gets extracted into JavaScript Object Notation (JSON) format, which then can be used in a SIEM tool for analysis of “AAD, M365, and Azure configurations” The extracted logs also can be put in a “web browser, text editor, or a database,”.

Network defenders attempting to interrogate a large M365 tenant via the UAL [unified audit log] may find that manually gathering all events at once is not feasible.

The Untitled Goose Tool can perform its log extraction without performing additional analytics. It has the ability to set time bounding of the UAL and extract data within time bounds. It can also collect Microsoft Defender for Endpoint data using time bounding. The tool is designed to help organizations run a full investigation after security incidents

Here’s how the GitHub page described it:

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The Untitled Goose Tool, currently available from the GitHub repository, is just a post-incident log forensics tool executed via a PowerShell script. It’ll run on a Windows or MacOS system, but CISA recommended using it on Windows, especially in a virtual environment. Python 3.7, 3.8 or 3.9, is also required to use the tool.

Advertisements
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – April, 2024

May 1, 2024

CISA adds CVE-2024-29988 to its KEV catalog

May 1, 2024

CISA releases guidelines on AI Based attacks

May 1, 2024

Synopsys introduced AI Powered Polaris Assist

April 30, 2024

Palo Alto Bug CVE-2024-3400 Exploited to install XMRig Malware

April 30, 2024

QNAP Releases Patches for Critical Vulnerabilities -CVE-2024-32766 & CVE-2024-32764

April 29, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading