All notable changes to this project will be documented in this file.
- Better task naming for logging
- Added Microsoft Graph role ThreatHunting.Read.All
- Added Log Analytics API role Data.Read
- Added dumping for Log Analytics Workspace
- Updated versions of required packages
- Create_SP.ps1 script will find existing an existing role group with the app name instead of erroring
- Resolved issue with dumper cmd arguments for honk command not working (e.g. goosey honk --entraid)
- Issue identified in d4iot dumpers
- Better task naming for logging
- Updated versions of required packages
- Resolved some errors for config collection. Specifically relating to the security contacts collection
- More Documentation
- Changed all azuread to entraid
- Removed version and author information from every file
- Endless pulling issue for sign in logs when endtime wasn't specified
- autohonk. No more manual authentication
- Variables added to the conf to modify ual tasks running as well as optional extra time field
- more efficient ual pulling. Lots of improvements that led to an 800% speed up.
- fixed asynchronous issue with azure dumpers
- Better Logging for python3.12. Changed the docker image to use that as well
- Asynchronous issues with azure dumpers
- No save state for azure activity log
- Powershell script for tying service principal to exchange online
- App only authentication
goosey confcommand to generate the conf. Includes comments for each field- Variables added to the conf to modify thresholds and modes during goosey honk
- Ual changed endpoints due to previous endpoint deprecation. New endpoint uses app auth tied to exchange online. No user tokens required for anything anymore.
- Mde improvements and mode added to choose between table mode and machine.
- Cli framework switched to fire instead of argparse
- Graze is gone. Due to ual change
- GUI is gone due to not being supported.
- Powershell dumper for m365 switched to python implementation
- delegated auth pull removed. Permissions too strong
- auth no longer saves unencrypted creds/tokens to disk in secure mode at any point
- Summarized configuration pulls in AzureAD and Azure.
- duplication in ual logs. Duplicates returned are now deduped before saving
- Delegated auth pull for featureRolloutPolicies
- Made goose proxy aware
- Consolidated auth code and enabled secure by default
- Made graze faster
- Fixed AzureAD activity log dumper bug that failed if there were multiple subscriptions
- Updated
cryptographyto 41.0.3 based on dependabot.
- Incorporated fix for function
helper_multiple_objectwhen parent object contains a/ - Updated authentication fix for graze.py and messagetrace.py
- Updated and pinned
MSALdependencies.
- Updated
validationkeylogic for m365 authentication. - Updated
MSALcalls to align with theMSAL1.23.0 change.
- Updated
cryptographyandaiohttpbased on dependabot. - Updated SBOM files.
- Better catches for when password for the account needs to be updated, when a conditional access policy blocks user account access, or when the user account is flagged for risky actions.
- Added catch for empty
.conffields, will allow more graceful exiting.
- Updated and pinned
aiohttp,colored,cryptography, andseleniumdependencies and updated Python version to 3.10.11. - Pinned 3.1.0 version of ExchangeOnlineManagement PowerShell module.
- Improved logic for grabbing
validationkeyfrom requests.
- Fixed MFA logic for messagetrace.py.
- Fixed data dumper logic, they will only run if something in their section is set to
True.
- Implemented new tables to be pulled from MDE.
- Added two SBOM files.
- Updated readme with cloud-only account requirement.
- Better logging for _no_results.json.
- Fixed Azure government calls.
- Fixed minor debug logging issues.
- Fixed the AttributeError encountered during AzureAD calls.
- Implemented delegated application authentication.
- Implemented support for more MFA methods: number matching push notification, app OTP code, and SMS OTP code.
- Added more debugging statements for
goosey auth --debug.
- Implemented monkey patch for
goosey-guion Windows machines. - Fixed logic for errorneous token check when
m365in the.confwas set toFalse.
- Readme prerequisites regarding Microsoft Visual C++ redistributable package (14.x) for Windows machines
- Updated selenium logic regarding push notification MFA prompts. It will detect if MFA was never accepted and exit.
- Implemented more checks for the .ugt_file to see if cookies and tokens are correctly exported.
- Updated certain AzureAD call outputs, making it easier for users to track call results.
- Implemented file encryption for credential file(s) with the
--secureparameter. - Added more authentication expiration checks and implemented better logic for handling an expired authentication token/cookie.
- Added more logging for
goosey authandgoosey auth --debug. - Added support for Python 3.10.
- Separated .conf and .d4iot_conf files into .auth, .conf, .auth_d4iot, and .d4iot_conf.
- Removed token_cache.bin.
- Added longer timeouts for selenium.
- Added validationkey pull as part of the regular M365 authentication flow.
- Added a section in the Installing section of the readme for Ubuntu 22.04 users running into wxpython issues.
- Goose is released