The US Cybersecurity & Infrastructure Security Agency (CISA) has released a new open-source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.

Known as the “Untitled Goose Tool” and developed in conjunction with Sandia, a US Department of Energy National Laboratory, this Python-based utility can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments. .

“Untitled Goose Tool is a robust and flexible incident hunting and response tool that adds new authentication and data collection methods to conduct a comprehensive investigation of Azure Active Directory (AzureAD), Azure and M365 d ‘a customer’, CISA said.

“Untitled Goose Tool brings together additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for the Internet of Things (IoT) (D4IoT).”

With the help of CISA cross-platform Microsoft cloud query and analysis toolsecurity experts and network administrators can:

• Export and examine AAD logs and audit logs, M365 Unified Audit Log (UAL), Azure Activity Logs, Microsoft Defender for IoT (Internet of Things) alerts, and Microsoft Defender for Endpoint data ( MDE) for suspicious activity.
• Query, export, and investigate AAD, M365, and Azure configurations.
• Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analysis.
• Perform time limitation of the UAL.
• Extract the data within these time frames.
• Collect and examine data using similar time-limiting features for MDE data.

Earlier this month, CISA released an open-source tool called ‘Decide’ to help defenders generate MITER ATT&CK mapping reports to adjust their security posture based on adversaries’ tactics and techniques.

Decide was released after posting a guide to “good practices” on MITER ATT&CK mapping in January, emphasizing the importance of using the standard.

He also announced that from January 2023 he warns critical infrastructure entities Internet-exposed systems vulnerable to ransomware attacks.

“Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the energy, healthcare and utility sectors. public health, water and wastewater, and the educational community.” CISA revealed Today.

This followed the launch of a new partnership in August 2021 to protect the United States’ critical infrastructure from ransomware and other cyber threats, known as the Joint Cyber ​​Defense Collaborative (JCDC).

The cybersecurity agency previously released in June 2021 a new module for its Cybersecurity Assessment Tool (CSET) known as Ransomware Readiness Assessment (RRA) to help organizations assess their ability to prevent and recover from ransomware attacks.

Two months later he published guidelines to help private sector and at-risk government organizations prevent data breaches resulting from ransomware attacks.