This tool allows network defenders to query, export, and investigate audit logs, Unified Audit Logs (UALs), Azure activity logs, and Microsoft Defender for Endpoint (MDE) data. Untitled Goose Tool can support incident response teams by exporting cloud artifacts; this can be especially useful for environments that do not ingest logs into a security information and event management (SIEM) tool or other long-term solutions for log storage after an incident.
CISA developed the Untitled Goose Tool to fill a gap in PowerShell tools, which lacked data collection capacity for Azure, AAD, and M365 investigations. Many tools available prior to Untitled Goose Tool had the same overlaps (e.g., pulled the same data) but missed large amounts of critical data. Additionally, many tools could not extract the UAL in a timely fashion. Even when the tools extracted the data in a timely fashion, the logs were usually cut short due to PowerShell’s restriction on number of log entries returned from a query (5000).
Untitled Goose Tool uses novel data-gathering methods via bespoke mechanisms to analyze and gather large M365 data sets via the UAL. This allows network defenders to:
See CISA’s Untitled Goose Tool GitHub Repository for directions on installing and using the tool.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more