Please note that this is still a work in progress ! This tool may contain bugs, partially working features, or missing features !
This tool is designed to analyze logs exported from AWS in Json format with a graphical interface. It helps identify suspicious activities. The tool is still in the testing phase but can already be used.
I originally created this tool to assist me in investigative challenges on HackTheBox (such as Nubilum 1 and Nubilum 2). Not finding similar tools, I decided to code one myself.
When opening the program, you need to select a directory containing log files in .json format (the program will search in its subdirectories to find all json files). The program will take some time to load certain data. You can then access different tabs:
The Event tab allows you to create filters and display corresponding events. You can also filter events by date. The program will automatically suggest known keys and values as you complete the fields.
The Statistics tab displays statistics related to specific data. For example, you can show the percentage of events generated by each source IP address.
The Errors tab simply lists errors present in the logs.
The Alerts tab displays potentially malicious IP addresses. Additionally, you can find the user accounts that these IP addresses accessed, as well as the IAM policies created by these IP addresses.