Untitled Goose Tool
A hunt and incident response tool for gathering forensic data from Microsoft Entra ID, Azure, M365, and Defender environments.
What is Untitled Goose Tool?
Untitled Goose Tool is an open-source incident response and hunting tool developed by CISA for investigating Microsoft cloud environments. It collects forensic data from Microsoft Entra ID, Azure, M365, Defender for Endpoint, and Defender for IoT to help security teams analyze incidents when logs aren't available in a SIEM. The tool uses novel authentication methods and provides flexible configuration for targeted data gathering.
Incident responders, security analysts, and forensic investigators who need to collect and analyze telemetry from Microsoft cloud environments during security incidents.
Developers choose Untitled Goose Tool because it's a comprehensive, government-developed tool specifically designed for Microsoft cloud forensics, offering extensive data collection capabilities that aren't available in standard commercial tools. Its flexible configuration and automation features make it ideal for rapid incident response scenarios.
Overview
Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Use Cases
Best For
Related Projects
Found a gem we're missing?
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
