December 9, 2023

The U.S. CISA released free post-incident hunting tools for organizations using Microsoft Azure, Azure Active Directory, and Microsoft 365 applications.

The tool was built by CISA and Sandia National Laboratories, and the exact reason for these government agencies to build a free log-hunting tool for Microsoft Azure, Azure Active Directory, and Microsoft 365 services wasn’t explained.


The tool called Untitled Goose Tool pulls log information from these Microsoft services, as well as Microsoft Defender alerts info. The information gets extracted into JavaScript Object Notation (JSON) format, which then can be used in a SIEM tool for analysis of “AAD, M365, and Azure configurations” The extracted logs also can be put in a “web browser, text editor, or a database,”.

Network defenders attempting to interrogate a large M365 tenant via the UAL [unified audit log] may find that manually gathering all events at once is not feasible.

The Untitled Goose Tool can perform its log extraction without performing additional analytics. It has the ability to set time bounding of the UAL and extract data within time bounds. It can also collect Microsoft Defender for Endpoint data using time bounding. The tool is designed to help organizations run a full investigation after security incidents

Here’s how the GitHub page described it:

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The Untitled Goose Tool, currently available from the GitHub repository, is just a post-incident log forensics tool executed via a PowerShell script. It’ll run on a Windows or MacOS system, but CISA recommended using it on Windows, especially in a virtual environment. Python 3.7, 3.8 or 3.9, is also required to use the tool.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.