CISA releases weirdly named tool to help investigate possible Microsoft 365 breaches

Posted on Sunday, Apr 2, 2023 by Chris Hayner

Featured in this episode of Chaos Lever

CISA, or the “Cybersecurity and Infrastructure Security Agency,” has released a new tool to assist security engineers in the fight against security breaches in Microsoft 365 environments. The tool is open source, free, and based on MITRE ATTACK reports.

The tool collects myriad telemetry data from cloud environments and analyzes them for potential malicious activity patterns. It is also, for some reason, called “Untitled Goose Tool.” I could have researched the name for this report, but I didn’t. I am just going to let Untitled Goose Tool live rent-free in my memory forever.

Many security engineers are questioning the point of this tool, as 1) most of what it does can be done by other tools, and 2) the permissions it requires are a little on the explicit side. It’s a good first step though, in this reporters opinion, because 1) it’s free, 2) open source.

CISA has been continuing to release things like this for a number of years and I hope they keep doing it. They’re reputable enough that I’m not worried about the permissions they’re requiring, and everybody likes free. We recommend you take a gander.