Cybersecurity & Infrastructure Security Agency (CISA) have published a new tool to assist responders to detect malicious activity in Microsoft Cloud environments (Azure) using multiple sources for analysis; Azure sign in, Azure audit, M365 unified audit log, Microsoft Defender for IoT, Microsoft Defender for Endpoint
Links:
https://github.com/cisagov/untitledgoosetool
https://www.cisa.gov/resources-tools/resources/untitled-goose-tool-fact-sheet
NPD4n6: Nicks DFIR blog 
Leave a comment