Azure AD, M365 and Azure are critical components of the modern enterprise cloud infrastructure. Tools to monitor and uncover threats and counter suspicious and dangerous activity before attackers have a chance to impact sensitive data or services are now considered critical as well. Recently, CISA released a new open-source tool named the Untitled Goose Tool that helps organizations investigate threats to Azure AD, M365 and Azure.
Designed to automate access to the logs that defenders need to assess a potential cloud identity attack, Untitled Goose Tool can be a lifesaver when there is suspicion of an active compromise in their tenant. Let's take a look.
Sample execution of Untiled Goose Tool
Untitled Goose Tool generates JSON and CSV files that include 20+ M365 configurations, months of unified audit logs, details of Azure and Azure AD applications, user details and sign-ins.
Sample outputs of Untiled Goose Tool
The actions of an attacker and their impact can be observed within these logs but analyzing them can be a time-consuming and complex process.
Vectra takes the Goose approach one step further
Vectra understands the challenges faced by defenders and developed a solution that simplifies the process of detecting and responding to cloud-based attacks. The Vectra Threat detection and Response platform continuously ingests the same Azure AD and M365 logs collected by Untitled Goose Tool, and other logs to provide automated real-time alerting for cloud-based attackers and threats. This enables Vectra to see actions that an attacker takes before a compromised account can progress further into an environment, steal data or attempt to abuse an organization's reputation.
Similar to Untitled Goose Tool, Vectra provides end-users with access to the raw data that underpins our alerts to support investigations and response. However, Vectra goes a step further by ingesting more log types and simplifying the process with one-click answers to common questions that teams need to investigate.
In cases where teams need to go further, users have access to the full data with a rich query language and instance access to the necessary documentation to make the raw data actionable.
Vectra provides defenders with the ability to proactively detect Azure AD and M365 threats while simplifying investigations by enabling quick and effective response to stop organizational damage. With Vectra, you can be confident that you have the tools you need to defend against even the most sophisticated cloud-based attacks.
See how Vectra takes Untiled Goose Tool a step further and take an interactive product tour.