CISA releases free tool for detecting malicious activity in Microsoft cloud environments
Network defenders searching for malicious activity in their Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) cloud environments have a new free solution at their disposal: Untitled Goose Tool.
Released by the Cybersecurity and Infrastructure Security Agency (CISA), it is an open-source tool that allows users to export and review logs, alerts, configurations, cloud artifacts, and more.
The tool’s capabilities
As an agency charged with – among other things – helping US-based organizations in the government and private sector protect themselves against cyber attackers, CISA regularly releases free open-source services and tools for defenders to use.
“The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA reveals.
The tool allows users to:
- Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity
- Query, export, and investigate AAD, M365, and Azure configurations
- Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analytics
- Perform time bounding of the UAL
- Extract data within those time bounds
- Collect and review data using similar time bounding capabilities for MDE data
The tool can’t change anything in the cloud environment – it can only find and deliver information. How quickly it does that depends on the size of the cloud environment, the amount of activity, and the specific call set in the configuration file.
Using the tool
The tool can be installed on macOS, Linux and Windows, and is compatible with Azure, Azure AD, and M365 environments. It needs Python 3.7, 3.8, or 3.9 to run.
The tool’s output, delivered in JSON format, can be fed into a SIEM tool, web browser, text editor, or database to review and analyze the information collected.
“Users can run Untitled Goose Tool once, as a snapshot in time, or routinely. For certain log types, the tool will pick up from the last time the tool was executed,” CISA explained.