cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

Untitled Goose Tool - Use cases? #43

Closed drathbo closed 1 year ago

drathbo commented 1 year ago

I'm posting this here at Victoria's recommendation.

I was looking into possibly using Untitled Goose Tool and I had some questions. If we already have a license which incorporates many of Microsoft’s Defender products (endpoint, identity, cloud, etc) is the Untitled Goose Tool a product that will enhance capabilities beyond what Microsoft already offers for it’s Defender suite of products or is this tool designed as a standalone product for organizations who don’t already have robust security licenses in O365/Azure?

victoriawallace-cisa commented 1 year ago

@drathbo Untitled Goose Tool is primarily meant for organizations to extract logs and configurations to constantly monitor their environment. It's more apt to compare the Untitled Goose Tool to having a Security Information and Event Management (SIEM). Licensing in Azure/m365 allows you to gain more access to premium audit logging events and alerts, but a SIEM will help you more in constantly monitoring your cloud environment. Untitled Goose Tool is aimed at incident response teams, who need to export cloud artifacts after an incident quickly to perform analysis. Hopefully that makes sense!