View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

CISA launches Untitled Goose cybersecurity tool for Microsoft Azure cloud users

The tool will help system admins avoid getting in a flap over potential security problems on their cloud servers.

By Matthew Gooding

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new cybersecurity software, Untitled Goose Tool, to help users of the Microsoft Azure cloud service spot potential security problems.

Untitled Goose Tool has been released to help Azure environments stay safe. (Photo by Bildagentur Zoonar GmbH)

Developed in conjunction with Sandia National Labs, CISA describes Untitled Goose as “a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory, and Microsoft 365 environments”.

It is available in the CISA repository on GitHub.

How security teams can use Untitled Goose Tool

CISA says the tool can be used to export and review Azure Active Directory (AAD) sign-in and audit logs, Microsoft 365’s unified audit log (UAL) and Azure activity logs, as well as Microsoft Defender for IoT alerts, and Microsoft Defender for Endpoint data, to help try and spot suspicious activity.

It also enables system admins to query, export, and investigate AAD, Microsoft 365, and Azure configurations for potential problems.

A CISA factsheet says: “Network defenders attempting to interrogate a large Microsoft 365 tenant via the UAL may find that manually gathering all events at once is not feasible. Untitled Goose Tool uses novel data gathering methods via bespoke mechanisms.”

Quite who came up with the name for this tool is unclear, but it includes functions entitled goosey_graze and goosey_honk which aid in the extraction and monitoring of information.

The tool is purely for querying data, CISA says, and cannot make changes to cloud environments.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Cloud environments increasingly targeted by cybercriminals

While vulnerabilities in cloud platforms such as Azure are relatively rare, cybercriminals are increasingly trying to find ways to breach the platforms. Last year, Tech Monitor reported on a vulnerability in Office 365 which potentially left cloud data open to attack.

“Current ransomware attacks are mainly focused on local networks and endpoints and not the cloud,” said Barak Hadad, head of research at security company Armis at the time. “But since organisations are moving their business logic to the cloud, we expect an increase of ransomware attacks against cloud storage systems.”

More recently, a remote code execution vulnerability in Azure was uncovered by researchers at cloud security company Ermetic. Dubbed EmojiDeploy, Microsoft patched it in December after Ermetic flagged the problem, earning the company a $30,000 bug bounty.

“The vulnerability is achieved through CSRF (cross-site request forgery) on the ubiquitous SCM service Kudu,” Liv Matan, researcher at Ermatic said, adding that the flaw could enable attackers to move laterally through affected systems. “By abusing the vulnerability, attackers can deploy malicious ZIP files containing a payload to the victim’s Azure application,” Matan added.

Read more: ProxyNotShell – 60,000 exchange servers still vulnerable

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.