CISA Releases Hunt Tool for Microsoft's Cloud Services

The Untitled Goose Tool is the latest tool from the United States Cybersecurity and Infrastructure Security Agency to help enterprise security teams respond to attacks.

Developed in conjunction with Sandia National Labs, the Untitled Goose Tool “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” CISA said in its announcement, which specifically listed Microsoft Azure, Microsoft 365, and Azure Active Directory. With this tool, defenders can run a full investigation by interrogating and collecting Azure Active Directory sign-in and audit logs, Microsoft 365 unified audit log, Azure activity logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data for suspicious activity, CISA said in its Untitled Goose Tool fact sheet. Defenders can also query, export, and investigate Azure Active Directory, Microsoft 365, and Azure configurations.

The hunt and incident response tool was designed to assist incident response teams export cloud artifacts after an incident for environments that aren’t ingesting logs into the organization’s Security Information and Events Management (SIEM) platform, CISA said on the Untitled Goose GitHub repository page. The defenders can then ingest the JSON results into an existing SIEM, web browser, text editor, or database, for additional analysis.

The Untitled Goose Tools was announced on the same day as the Pre-Ransomware Notification Initiative, which aims to warn organizations about ransomware attacks early enough so that organizations can block the attempt to steal or encrypt data. Earlier in March, CISA announced the Decider tool, which will help organizations map adversary behavior to the MITRE ATT&CK framework to find gaps in their defenses, as well as the Ransomware Vulnerability Warning Pilot, to warn critical infrastructure entities about flaws in their systems.