Us_government=If you have a GCC High tenant, set this to True, otherwise set this to False.Įxo_us_government=If your M365 tenant is a government tenant, set this to True, otherwise set this to False. Here is a conf file with descriptions of the fields: It's also recommended to run Untitled Goose Tool within a virtual environment. On a Windows machine, you will need to make sure to have the Microsoft Visual C++ redistributable package (14.x) installed prior to running the tool. Python 3.10.11 is currently being tested.įirefox is required for authenticating with Untitled Goose Tool.Ĭurrently, the following MFA methods are accepted in Untitled Goose Tool: the push notification offered by the Microsoft Authenticator app, number matching MFA, and one-time password (OTP) from either the Microsoft Authenticator app or SMS. Python 3.7, 3.8, 3.9, or 3.10 (up to 3.10.10) is required to run Untitled Goose Tool with Python. This tool was designed to assist incident response teams by exporting cloud artifacts after an incident for environments that aren't ingesting logs into a Security Information and Events Management (SIEM) or other long term solution for logs.įor more guidance on how to use Untitled Goose Tool, please see: Untitled Goose Tool Fact Sheet Getting Started Prerequisites
Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).
Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Recommended Workflow for UAL Call with Time Bounds.
0 kommentar(er)
