towerose.blogg.se

Notifyaddress=If you want to be notified by Microsoft when your message trace is ready for download, input an email here.

Setemailaddress=If you want to be notified by Microsoft when your message trace is ready, set this to True, otherwise set this to False.ĭirection=Choices are All, Inbound, Outbound. Format should be YYYY-MM-DD.ĭate_end=Applies to Azure AD signin calls only. M365=If you have a M365 environment, set this to True, otherwise set this to False.ĭate_start=Applies to Azure AD signin calls only. For multiple IDs, separate it with commas, no spaces. Subscriptionid=If you want to check all of your Azure subscriptions, set this to All, otherwise enter your Azure subscription ID. Us_government=If you have a GCC High tenant, set this to True, otherwise set this to False.Įxo_us_government=If your M365 tenant is a government tenant, set this to True, otherwise set this to False. Here is a conf file with descriptions of the fields: It's also recommended to run Untitled Goose Tool within a virtual environment. On a Windows machine, you will need to make sure to have the Microsoft Visual C++ redistributable package (14.x) installed prior to running the tool. Python 3.10.11 is currently being tested.įirefox is required for authenticating with Untitled Goose Tool.Ĭurrently, the following MFA methods are accepted in Untitled Goose Tool: the push notification offered by the Microsoft Authenticator app, number matching MFA, and one-time password (OTP) from either the Microsoft Authenticator app or SMS. Python 3.7, 3.8, 3.9, or 3.10 (up to 3.10.10) is required to run Untitled Goose Tool with Python. This tool was designed to assist incident response teams by exporting cloud artifacts after an incident for environments that aren't ingesting logs into a Security Information and Events Management (SIEM) or other long term solution for logs.įor more guidance on how to use Untitled Goose Tool, please see: Untitled Goose Tool Fact Sheet Getting Started Prerequisites Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.