Identity threat detection and response startup Permiso Security Inc. today announced the launch of Cloud Console Cartographer, an open-source tool that helps security teams make sense of console-driven event activity in their Amazon Web Services Inc. logs.

The new tool maps noisy log activity into highly consolidated, succinct events to help security practitioners quickly cut through the noise to better understand console behavior in their environment.

The tool seeks to address the issue wherein AWS console logs can turn from a single action into more than 300 CloudTrail events. CloudTrail is a service provided by AWS that records application programming interface calls and related events within an AWS account, enabling security monitoring, compliance auditing and operational troubleshooting.

The console events shown in CloudTrail are API calls that populate what is being displayed within the user interface. A console session can have far more events than the actual inputs or actions and these events are never explicitly associated with the user’s actions.

In reviewing these logs, Permiso argues that the result can be confusing. Security professionals are left trying to differentiate API calls specifically invoked by a specific user from secondary API invocations that create events to support the behavior or actions being conducted in the console user interface.

The confusion is also well-known, with Permiso saying that threat actors have been observed leveraging console and other UIs, knowing how confusing this log data can be to incident responders and blue teamers.

Cloud Console Cartographer processes raw events in a log and is able to determine and group a series of 17 events they’re seeing in CloudTrail if someone clicks a particular button in the UI. The tool also parses additional data from secondary events to provide more context about what the user was seeing in the console, such as the names of the groups, policies, roles or access keys that were active at the time the click occurred.

The ability to correlate and reduce these events into singular actions helps security teams quickly understand what activity was conducted in the console, something that is difficult to do today.

“If you’ve spent any amount of time digging through logs trying to triage activity in an environment, you’ve probably been overwhelmed with the log data that comes from console activity,” said Daniel Bohannon, principal threat researcher at Permiso. “Threat actors are aware of how confusing parsing this data can be and will often leverage GUI tools in order to better cover their tracks or deceive defenders who are tracking them in an environment.”

Permiso is a venture capital-backed startup, having just raised an early-stage round of $18.5 million on April 5. Investors in the Series A round include Altimeter Capital Management LP and Point72 Ventures LLC.

Image: Permiso