![]() To get more information on a given subchain you can simply run A.subchains() which will show you the chain using the following format (number_of_first_event_in_chain,number_of_last_event_in_chain,killchain_score).It will also drop you in a shell where you can perform follow up activities. First run alfa analyze which will automatically identify (or not if none were found).Ultimately ALFA will give the analyst a list of identified 'subchains' that can be further analyzed. An event that is mapped to the Persistence phase followed by an event that is mapped to the Credential Access phase will result in a higher score. Next ALFA will analyze all mapped events in chronological order to try to identify kill chains or logical attack paths.Į.G. If an event matches that lists it is mapped to a technique that is part of the MITRE ATT&CK Cloud Framework ( ). How this worksĮach individual event is categorized based on a mapping that is made alfa/config/event_to_mitre.yml. The analyze function automatically analysis all audit log data for a given Google Workspace to identify suspicious activity. Now you know how to acquire data time for some fancy stuff to unleash the power of ALFA. Grab logs within a defined timeperiod alfa acquire -start-time= -end-time= the timeformat is (RFC3339).Only grab logs for a specific user alfa acquire -user=insert_username.Save the output to a specific folder alfa acquire -d /tmp/project_secret. ![]() Only grab the 'admin' logtype alfa acquire -logtype=admin.You can do all kinds of filtering to limit the data you are acquiring some examples below: To see what other options you have type alfa acquire -h.ALFA will now grab all logtypes for all users and save them to a subdirectory in the 'data' folder a.From inside "project_x" (or whatever name you chose before) run alfa acquire.ALFA Acquire Acquire all Google Workspace Audit Logs After you have copied over the credentials.json file you are ready to use ALFA.ĪLFA has 3 options as explained below: 1.Within that folder copy your credentials.json into the config/ folder. A new project has now been generated called 'project_x'.The first step is to initialize ALFA do this by running alfa init projectname this command will create a new directory to store your configuration and data.NOTE: For retrieving credentials.json, please see CREDENTIALS.md Setup Navigate to the folder in your terminal and run pip install -e.Using it on Windows/macOS might work or not, in our experience it's a mixed bag so use at your own risk. ALFA Automated Audit Log Forensic Analysis for Google WorkspaceĬopyright (c) 2022 Invictus Incident ResponseĪuthors Greg Charitonos & BertJanCyber Before you startĪ note on supported operating systems, ALFA is tested on several Linux distributions (Debian and Ubuntu).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |