The US Cybersecurity & Infrastructure Security Agency (CISA) has released a new open-source incident response tool that helps detect signs of malicious activity in Microsoft cloud environments.


Known as the “Untitled Goose Tool”, this Python-based utility can download telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365.

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

The tool helps security professionals and network administrators to:

  • Export and examine AAD access and control logs, M365 unified audit logs (UAL), Azure activity logs, Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.

  • Query, export, and examine AAD, M365, and Azure configurations.

  • Extract cloud artifacts from Microsoft’s AAD, Azure, and M365 environments without performing additional analysis.

  • Perform time bounding on the UAL. Extract data within those time limits.

  • Collect and review data using similar time-bounding capabilities for MDE data.