CISA Releases Untitled Goose Tool for Tracking Microsoft Azure and Microsoft 365 Security Incidents

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the release of a publicly available and free post-incident hunting tool for organizations using Microsoft Azure, Azure Active Directory and Microsoft 365 applications.

CISA's "Untitled Goose Tool" pulls log information (sign-in, audit log, activity log and alerts) from these Microsoft services, as well as Microsoft Defender alerts info. The information gets extracted into JavaScript Object Notation (JSON) format, which then can be used in a security information and events management (SIEM) tool for analysis of "AAD, M365, and Azure configurations." The extracted logs also can be put in a "web browser, text editor, or a database," CISA explained in its FAQ document (PDF).

A Tool for Large Tenancies
The tool was built by CISA and Sandia National Laboratories. The exact reason for these government agencies to build a free log-hunting tool for Microsoft Azure, Azure Active Directory and Microsoft 365 services wasn't explained. However, CISA's FAQ suggested that organizations may currently lack a tool that will interrogate log data across a large tenancy.

"Network defenders attempting to interrogate a large M365 tenant via the UAL [unified audit log] may find that manually gathering all events at once is not feasible," the FAQ stated.

The Untitled Goose Tool can perform its log extraction "without performing additional analytics." It has the ability to set "time bounding of the UAL" and extract data within time bounds. It can also collect Microsoft Defender for Endpoint data using time bounding.

The Untitled Goose Tool also can be helpful for organizations that currently "aren't ingesting logs into a Security Information and Events Management (SIEM) or other long term solution for logs," according to the GitHub description. Moreover, the tool was designed to help organizations "run a full investigation" after security incidents.

Here's how the GitHub page described it:

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer's Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The Untitled Goose Tool, currently available from the GitHub repository, is just a post-incident log forensics tool executed via a PowerShell script. It cannot make changes, the FAQ indicated. It'll run on a Windows or MacOS system, but CISA recommended using it on Windows, especially in a virtual environment. Python 3.7, 3.8 or 3.9 also is required to use the tool.

Other CISA Cybersecurity Efforts
CISA also announced this week that it has published identity and access management best practices for administrators, in conjunction with the U.S. National Security Agency. This 31-page document also involved collaboration with Enduring Security Framework (ESF) panelists. CISA described the ESF as "a public-private cross-sector partnership that aims to address risks that threaten critical infrastructure and national security systems."

If that weren't enough, CISA announced that it has updated its Cybersecurity Performance Goals (CPGs) with feedback from "stakeholders." The CPGs are baseline security goals set by CISA and the National Institute of Standards and Technology in response to the White House's July memo on improving security for critical infrastructure control systems.

Here's CISA's characterization of the CPGs:

The CPGs are a prioritized subset of information technology (IT) and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.

The CPGs are just voluntary guidelines and they aren't comprehensive.

CISA is an organization that advises U.S. government agencies on cybersecurity matters. However, its work also tends to pertain to organizations more generally.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube