cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

Suggested Change of UAL Dump Format from json to jsonl #30

Closed 0x534a closed 1 year ago

0x534a commented 1 year ago

🗣 Description

In this PR, we suggest to change the output format of the Microsoft 365 UAL dump from JSON to JSON lines.

💭 Motivation and context

All of the output files of the Microsoft 365 dumper module are in JSON line format except the UAL which is written as a single JSON object. In order to be more consistent and to improve the performance of parsing the dumped UAL, we suggest to change the output format from a single JSON object to the JSON line format.

🧪 Testing

This PR was tested manually against a Microsoft 365 development tenant (E5 license).

✅ Pre-approval checklist

✅ Pre-merge checklist

✅ Post-merge checklist

victoriawallace-cisa commented 1 year ago

We're currently testing this PR.

victoriawallace-cisa commented 1 year ago

Hello, we've merged the PR into the tool, but we did not notice any file format or run time differences between the two. We guess it's because the UAL is dumped as a single object so there's no big difference in the json or jsonlines format.