CISA, PNNL publish log analyser for security tests

America’s Cyber and Infrastructure Security Agency has open sourced a security log analytics tool called RedEye.

As CISA explained on GitHub, RedEye was co-developed in partnership with the Department of Energy’s Pacific Northwest National Laboratory.

RedEye is an analytics tool for visualising and reporting command and control activities, CISA said, which “allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a red team assessment”.

Currently, RedEye focuses on analysing Cobalt Strike logs.

It offers both blue team and red team modes.

Red team mode lets users “upload campaign logs, explore, and create presentations”, while the blue team mode allows the user to review a campaign uploaded by a red team.

It parses logs, presents data in an easily digestible format, and lets users tag and add comments to the activities it displays.

For example, the UI shows a graphical representation of a campaign log showing the correlation between the hosts involved in the campaign.

A user can identify key events in a a campaign, such as examining payload activity, identifying an attackers penetration path, and so on.

The tool runs on Linux (Ubuntu 18 and newer, Kali 2020.1 and newer), macOS El Capitan, and Windows from Windows 7 on.

CISA has also published this video to YouTube.

RedEye log visualisation. Image: CISA