CISA Releases Untitled Goose Tool
The U.S. CISA released free post-incident hunting tools for organizations using Microsoft Azure, Azure Active Directory, and Microsoft 365 applications.
The tool was built by CISA and Sandia National Laboratories, and the exact reason for these government agencies to build a free log-hunting tool for Microsoft Azure, Azure Active Directory, and Microsoft 365 services wasn’t explained.
Network defenders attempting to interrogate a large M365 tenant via the UAL [unified audit log] may find that manually gathering all events at once is not feasible.
The Untitled Goose Tool can perform its log extraction without performing additional analytics. It has the ability to set time bounding of the UAL and extract data within time bounds. It can also collect Microsoft Defender for Endpoint data using time bounding. The tool is designed to help organizations run a full investigation after security incidents
Here’s how the GitHub page described it:
Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
The Untitled Goose Tool, currently available from the GitHub repository, is just a post-incident log forensics tool executed via a PowerShell script. It’ll run on a Windows or MacOS system, but CISA recommended using it on Windows, especially in a virtual environment. Python 3.7, 3.8 or 3.9, is also required to use the tool.