cisagov/untitledgoosetool

The Goose is loose. Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.

Untitled Goose Tool (UGT) is an open source tool developed by the Cybersecurity and Infrastructure Security Agency (CISA) of the United States Department of Homeland Security. It is designed to help organizations assess their security posture and identify potential security risks. UGT provides a comprehensive set of security assessment capabilities, including authentication, authorization, and audit logging.

In order to use UGT, users must have Python 3.7, 3.8, or 3.9 installed, as well as a virtual environment. Additionally, users must have certain AzureAD/m365 permissions, as well as Azure Subscription IAM Roles. To install UGT, users must clone the repository and then do a pip install. UGT also has a simplified GUI based off of Gooey.

UGT is designed to be used in conjunction with other security tools, such as Microsoft Defender for IoT (D4IOT) and Microsoft Graph Security API (M365). It can be used to assess the security of cloud-based services, such as Microsoft Azure, Office 365, and Exchange Online. UGT also provides a set of commands to automate the process of gathering and analyzing security data.

The UGT authentication process requires users to provide credentials in order to access the tool. This can be done through a configuration file or by using the goosey auth command. Once authenticated, users can use the goosey csv command to generate a CSV file containing the security data. The goosey graze command is used to gather data from the Microsoft Graph Security API. This command requires users to provide credentials in order to access the API. The goosey honk command is used to analyze the security data gathered by the goosey graze command. This command requires users to provide a configuration file containing the desired security checks.

The goosey messagetrace command is used to submit and gather message trace reports. This command requires users to provide credentials in order to access the Exchange Online mailbox. The goosey honk command can also be used to automate the process of checking the status of a message trace report after it has been submitted.

The recommended workflow for using UGT is to first fill out the configuration file with the desired security checks, then run the goosey auth command to authenticate, followed by the goosey honk command to analyze the security data. For UAL calls with time bounds, users should first run the goosey auth command, followed by the goosey graze command, and then open

📓 cisagov/untitledgoosetool the resulting CSV file in a spreadsheet program for analysis.

👉🏽 Untitled Goose Tool (UGT) is an open source security assessment tool. 👉🏽 Developed by the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. 👉🏽 Designed to identify potential security risks in organizations. 👉🏽 Includes authentication, authorization, and audit logging capabilities. 👉🏽 Requires Python and virtual environment, as well as AzureAD/m365 permissions. 👉🏽 Can be used with other security tools like Microsoft Defender for IoT and Graph Security API. 👉🏽 Assesses security of cloud-based services like Azure, Office 365, and Exchange Online. 👉🏽 Provides a set of commands to gather and analyze security data. 👉🏽 Uses authentication process through configuration file or goosey auth command. 👉🏽 Includes goosey messagetrace command to submit and gather message trace reports.

link: https://github.com/cisagov/untitledgoosetool

#Cybersecurity #SecurityAssessment #OpenSource #MicrosoftIntegration #Automation