Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
This PR fixes a bug in the AzureAD datadumper module which leads to incomplete results.
💠Motivation and context
The PR is needed to acquire a complete set of AzureAD audit log data. Otherwise acquiring AzureAD audit logs with Untitled Goose will lead to incomplete results and, thus, to an incomplete data basis for investigations.
The function dump_azuread_audit has a retry loop which is not terminated if the log data was dumped successfully. This leads to an incomplete data acquisition, since the start date is incremented in the retry loop by one day for each loop pass. For example, dumping the data from 01.04.2023 to 13.04.2023 will only extract the audit log data for the days 01.04.2023, 06.04.2023 and 11.04.2023 since the retry counter is set to 5 by default.
🧪 Testing
This PR was tested manually against a Microsoft 365 development tenant (E5 license).
✅ Pre-approval checklist
[x] This PR has an informative and human-readable title.
[x] Changes are limited to a single goal - eschew scope creep!
[x] All future TODOs are captured in issues, which are referenced
in code comments.
[ ] All relevant type-of-change labels have been added.
🗣 Description
This PR fixes a bug in the AzureAD datadumper module which leads to incomplete results.
💠Motivation and context
The PR is needed to acquire a complete set of AzureAD audit log data. Otherwise acquiring AzureAD audit logs with Untitled Goose will lead to incomplete results and, thus, to an incomplete data basis for investigations.
The function
dump_azuread_audit
has a retry loop which is not terminated if the log data was dumped successfully. This leads to an incomplete data acquisition, since the start date is incremented in the retry loop by one day for each loop pass. For example, dumping the data from 01.04.2023 to 13.04.2023 will only extract the audit log data for the days 01.04.2023, 06.04.2023 and 11.04.2023 since the retry counter is set to 5 by default.🧪 Testing
This PR was tested manually against a Microsoft 365 development tenant (E5 license).
✅ Pre-approval checklist
✅ Pre-merge checklist
✅ Post-merge checklist