The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new open-source incident response tool. The Python-based utility is designed to help organizations track vulnerabilities in Microsoft cloud environments.
Specifically, CISA has teamed up with the U.S. Department of Energy’s Sandia National Laboratories to develop the Untitled Goose Tool. It utilizes different sophisticated hunting queries to detect the signs of exploitation in Microsoft 365, Microsoft Azure, and Azure Active Directory (AAD). The utility can also be used with other Microsoft security solutions to identify and mitigate security threats.
CISA detailed that the Untitled Goose Tool allows IT admins to perform the following operations:
- Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.
- Query, export, and investigate AAD, M365, and Azure configurations.
- Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics.
- Perform time bounding of the UAL.
- Extract data within those time bounds.
- Collect and review data using similar time bounding capabilities for MDE data.
Getting started with the Untitled Goose Tool
CISA says that customers can download and install the Untitled Goose Tool on Windows, macOS, and Linux machines. However, it requires users to install Python version 3.7, 3.8, or 3.9 to run on their systems.
Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) released a free tool called Decider. Its purpose is to help security teams map attackers’ behavior to the Mitre ATT&CK framework. Decider comes with intuitive search and filtering capabilities, making it easy for users to find the information they need. It also allows users to export results to commonly used formats for further analysis.