The United States Cyber and Infrastructure Security Agency has released a security log analysis tool called RedEye.
As CISA explained on GitHub, RedEye was co-developed in partnership with the Department of Energy’s Pacific Northwest National Laboratory.
RedEye is an analytics tool for visualizing and reporting command and control activities, said CISA, that “allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision-making in response to a red team assessment”.
Currently, RedEye is focused on analyzing Cobalt Strike logs.
It features both blue team and red team modes.
Red team mode allows users to “upload campaign logs, explore and create presentations”, while blue team mode allows the user to review a campaign uploaded by a red team.
It analyzes logs, presents data in an easily digestible format, and allows users to tag and add comments to activities it displays.
For example, the user interface displays a graphical representation of a campaign log showing the correlation between the hosts involved in the campaign.
A user can identify key events in a campaign, such as reviewing payload activity, identifying an attacker’s penetration path, and more.
The tool works on Linux (Ubuntu 18 and newer, Kali 2020.1 and newer), macOS El Capitan and Windows from Windows 7.
CISA also posted this video on YouTube.
Viewing the RedEye log. Image: CISA