The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with Sandia National Laboratories, has unveiled the Untitled Goose Tool, a powerful and flexible hunt and incident response tool designed for Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. This novel tool aims to help network defenders detect potentially malicious activity by offering innovative authentication and data gathering methods. Goose is freely available on the CISA GitHub Repository.
CISA recommends network defenders utilize the Untitled Goose Tool for various tasks, including exporting and reviewing AAD sign-in and audit logs, M365 unified audit logs (UAL), Azure activity logs, Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint (MDE) data to identify suspicious activity. The tool can also be used to query, export, and investigate AAD, M365, and Azure configurations.
Manually gathering events from large M365 tenants via the UAL can be challenging. The Untitled Goose Tool addresses this issue with its unique data gathering methods and bespoke mechanisms. Network defenders can now efficiently extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments, perform time bounding of the UAL via goosey graze, extract data within those time bounds with goosey honk, and interrogate and collect data using similar time bounding capabilities for MDE data.
The Untitled Goose Tool is compatible with users’ Azure, Azure AD, and M365 environments and requires Python 3.7, 3.8, or 3.9. For optimal results, CISA advises using the tool within a virtual environment. Detailed instructions and accompanying resources for the Untitled Goose Tool can be found in the README.md file on CISA’s GitHub repository.
CISA and Sandia also designed the tool to operate on both Windows and MacOS, with the PowerShell script recommended for Windows use only. Users are encouraged to ingest the JSON results into a Security Information and Event Management (SIEM) tool, web browser, text editor, or database.
It can be run once or routinely, with certain log types picking up from the last time it was executed. Before using the tool, users must configure it by editing the .conf file, as outlined in the README.md file on the GitHub repository.
Importantly, the Untitled Goose Tool only queries for information and cannot make changes to the cloud environment. The performance time of the tool varies depending on the cloud environment size, activity levels, and the specific call set in the configuration file.