CISA Released a New Tool to Detect Hacking Activity in Microsoft Cloud Environments

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

As part of its ongoing efforts to protect Microsoft cloud environments against malicious activity, CISA recently introduced an open-source incident response tool called the “Untitled Goose Tool.”

This Python-based utility tool was developed in collaboration with Sandia, a national laboratory of the United States Department of Energy. Following are the environments from which telemetry information can be dumped with the help of this tool:-

  • Azure Active Directory
  • Microsoft Azure
  • Microsoft 365
  • Microsoft Defender for Endpoint (MDE)
  • Defender for Internet of Things (IoT) (D4IoT)

Features of Untitled Goose Tool

Security experts and network administrators can use CISA’s cross-platform Microsoft cloud analysis and interrogation tool to:-

  • In-depth analysis and export of:
  • AAD sign-in and audit logs
  • M365 unified audit log
  • Azure activity logs
  • Microsoft Defender for IoT alerts
  • Microsoft Defender for Endpoint data for suspicious activity
  • Analyze AAD, M365, and Azure configurations through queries, exports, and investigation.
  • It enables the extraction of the cloud artifacts without performing additional analytics from Microsoft’s AAD, Azure, and M365 environments.
  • The time bounding of the UAL could be performed.
  • In accordance with those time bounds, it enables data extraction.
  • For MDE data, similar time-bounding capabilities can be used to collect, review, and compare data.


To run the Untitled Goose Tool with Python, the following versions are required:-

  • Python 3.7
  • Python 3.8
  • Python 3.9

Furthermore, running the Untitled Goose Tool in a virtual environment is recommended.

  • Mac OSX
  • Linux
  • Windows

Recent developments have seen the CISA undertake several mitigatory steps to improve the security measures that organizations can take against emerging cyber threats.

As a result, a new open-source tool called ‘Decider’ was launched earlier this month by CISA. This tool is mainly aimed at defenders, which helps them in creating MITRE ATT&CK mapping reports.

Decider was launched after the publication of a “best practices” guide in January, stressing the significance of adhering to the standard.

As part of its announcement, it warned critical infrastructure entities at the beginning of 2023 that their systems were susceptible to ransomware attacks due to internet exposure.

The announcement resulted from a new partnership launched in August 2021 to focus on protecting the core infrastructure of the United States from cyber attacks such as ransomware. At the same time, they named this collaboration the JCDC (Joint Cyber Defense Collaborative).


It is quite easy to install the package by cloning the repository and then doing an install with pip:

git clone
cd untitledgoosetool
python3 -m pip install .

In June 2021, Ransomware Readiness Assessment (RRA) was launched to update the Cyber Security Evaluation Tool (CSET). This module aims to assist organizations in assessing their preparedness for preventing and recovering from ransomware and other cyberattacks.

Building Your Malware Defense Strategy – Download Free E-Book

Related Coverage: