Irish Information Security Forum

Untitled Goose Tool

CISA, together with Sandia National Laboratories, developed the Untitled Goose Tool to assist network defenders with hunt and incident response activities in Microsoft Azure, AAD, and M365 environments.


This tool allows network defenders to query, export, and investigate audit logs, Unified Audit Logs (UALs), Azure activity logs, and Microsoft Defender for Endpoint (MDE) data. Untitled Goose Tool can support incident response teams by exporting cloud artifacts; this can be especially useful for environments that do not ingest logs into a security information and event management (SIEM) tool or other long-term solutions for log storage after an incident.

CISA developed the Untitled Goose Tool to fill a gap in PowerShell tools, which lacked data collection capacity for Azure, AAD, and M365 investigations. Many tools available prior to Untitled Goose Tool had the same overlaps (e.g., pulled the same data) but missed large amounts of critical data. Additionally, many tools could not extract the UAL in a timely fashion. Even when the tools extracted the data in a timely fashion, the logs were usually cut short due to PowerShell’s restriction on number of log entries returned from a query (5000).


goosey gui

Untitled Goose Tool uses novel data-gathering methods via bespoke mechanisms to analyze and gather large M365 data sets via the UAL. This allows network defenders to:


  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments.
  • Perform time bounding of the UAL with goosey graze.
  • Extract data within those time bounds with goosey honk.
  • Collect data using time-bounding capabilities for MDE data.

See CISA’s Untitled Goose Tool GitHub Repository for directions on installing and using the tool.


If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland



Invitations for Annual Sponsorship of IISF has now reopened.

Sponsorship of IISF Opportunity
(your logo & profile link here)


Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more


secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter