CISA launched a tool to detect Microsoft cloud hacks.

Microsoft cloud hacks

To bolster its cybersecurity efforts and safeguard Microsoft cloud environments from malicious activity, the Cybersecurity and Infrastructure Security Agency (CISA) has recently unveiled an open-source incident response tool dubbed the “Untitled Goose Tool.” This utility tool is based on Python and has been developed in partnership with Sandia, a national laboratory under the United States Department of Energy.

The “Untitled Goose Tool” allows the dumping of telemetry information from a range of environments, including Azure Active Directory, Microsoft Azure, Microsoft 365, Microsoft Defender for Endpoint (MDE), and Defender for Internet of Things (IoT) (D4IoT). This valuable feature helps identify potential threats, enabling security teams to take proactive measures to protect their cloud environments.

Features of Untitled Goose Tool

Security experts and network administrators can use CISA’s cross-platform Microsoft cloud analysis and interrogation tool to:-

In-depth analysis and export of:

  • AAD sign-in and audit logs: This tool allows for the extraction and analysis of sign-in and audit logs from Microsoft’s Azure Active Directory. This information can be used to identify and investigate potential security threats.
  • M365 unified audit log: The tool also enables the extraction and analysis of unified audit logs from Microsoft 365. These logs provide a comprehensive view of activities across different services in M365, which can help identify and investigate security incidents.
  • Azure activity logs: The tool also allows for the extraction and analysis of activity logs from Microsoft Azure. These logs provide information on changes made to Azure resources, which can help identify potential security threats.
  • Microsoft Defender for IoT alerts: This tool enables the extraction and analysis of alerts from Microsoft Defender for IoT. These alerts can help identify potential security threats in IoT environments.
  • Microsoft Defender for Endpoint data for suspicious activity: The tool also allows for the extraction and analysis of data for suspicious activity from Microsoft Defender for Endpoint. This can help identify potential threats to endpoint devices and take proactive measures to prevent them.
  • Analyze AAD, M365, and Azure configurations through queries, exports, and investigation


To run the Untitled Goose Tool with Python, the following versions are required

  • Python 3.7
  • Python 3.8
  • Python 3.9

Furthermore, running the Untitled Goose Tool in a virtual environment is recommended.

  • Mac OSX
  • Linux
  • Windows

To enhance organizations’ cybersecurity measures against emerging cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) has recently taken several mitigatory steps. One such measure is the launch of an open-source tool named ‘Decider’ earlier this month, aimed at defenders to assist them in creating MITRE ATT&CK mapping reports.

This tool was launched following the publication of a “best practices” guide in January, emphasizing the importance of adhering to the standard. Additionally, CISA warned critical infrastructure entities at the beginning of 2023 of the susceptibility of their systems to ransomware attacks due to internet exposure.

This warning was a result of a new partnership established in August 2021, called the Joint Cyber Defense Collaborative (JCDC), with the focus of protecting the core infrastructure of the United States from cyber attacks, such as ransomware.


It is quite easy to install the package by cloning the repository and then doing an install with pip:

git clone
cd untitledgoosetool
python3 -m pip install .

In June 2021, Ransomware Readiness Assessment (RRA) was launched to update the Cyber Security Evaluation Tool (CSET). This module aims to assist organizations in assessing their preparedness for preventing and recovering from ransomware and other cyberattacks.