The Goose Tool is a new free tool that may assist network defenders in identifying possibly malicious activities in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments. It was developed by CISA and is available on their website. The Unidentified Goose Tool, which was developed with assistance from Sandia National Laboratories, provides network defenders with unique authentication and data collection techniques that may be used when they are investigating and analyzing their Microsoft cloud services.
According to CloudVulnDB, an open project that tracks vulnerabilities affecting major cloud providers, there is a lengthy record of severe security flaws plaguing Redmond’s flagship Azure, and defenders have long complained about the lack of insight into possible infections.
The Untitled Goose Tool is a powerful and adaptable investigation and incident response instrument. When network defenders interrogate and analyze the environments of Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365), the tool provides them with novel authentication and data gathering methods to use in the process. These methods can be used to detect potentially malicious activity. Goose, which was created by CISA in collaboration with Sandia National Laboratories, may be downloaded for free from the CISA GitHub Repository.
Network defenders are encouraged to use the Untitled Goose Tool in order to carry out the following tasks: • Export and review AAD sign-in and audit logs; M365 unified audit log (UAL); Azure activity logs; Microsoft Defender for IoT (internet of things) alerts; and Microsoft Defender for Endpoint (MDE) data