"New CISA Tool Detects Hacking Activity in Microsoft Cloud Services"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has released a new open-source incident response tool to help detect malicious activity in Microsoft cloud environments. This Python-based utility, known as the "Untitled Goose Tool" and created in collaboration with Sandia National Laboratories, can dump telemetry data from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. According to CISA, Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods to conduct a comprehensive investigation against a customer's Azure Active Directory, Azure, and M365 environments. Among other things, CISA's cross-platform Microsoft cloud interrogation and analysis tool allows security professionals and network administrators to export and review AAD sign-in and audit logs, M365 unified audit logs, Azure activity logs, Microsoft Defender for Internet of Things (IoT) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity. This article continues to discuss CISA's Untitled Goose Tool and another open-source tool called Decider recently released by the agency.  

Bleeping Computer reports "New CISA Tool Detects Hacking Activity in Microsoft Cloud Services"