cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.

Creative Commons Zero v1.0 Universal

913 stars 80 forks source link

Not clear what this does #1

Closed lawndoc closed 1 year ago

lawndoc commented 1 year ago

🐛 Summary

This tool will "run a full investigation" by "gathering additional telemetry"... And then what? The README is very descriptive about how to set up the tool, but nowhere does it say anything about the output of the tool or how the output is intended to be used. Is it looking for specific things in the additional telemetry? Is that our job? Does it just collect all the things and throw them in a massive CSV? No idea without reading all the source code.

victoriawallace-cisa commented 1 year ago

Hello, please see the fact sheet for additional details regarding the output: https://www.cisa.gov/sites/default/files/2023-03/untitled_goose_tool_fact_sheet_final_508cv2.pdf

If you have any other questions, please feel free to ask.

lawndoc commented 1 year ago

Thanks. Wouldn't it make sense to include the FAQ in the README or at least include a link to the fact sheet? People who discover this via GitHub will have no idea what it is