{"id":14156113,"url":"https://github.com/Permiso-io-tools/CloudConsoleCartographer","last_synced_at":"2025-08-06T02:31:49.630Z","repository":{"id":234070736,"uuid":"786645739","full_name":"Permiso-io-tools/CloudConsoleCartographer","owner":"Permiso-io-tools","description":"Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.","archived":false,"fork":false,"pushed_at":"2024-05-16T14:34:45.000Z","size":8450,"stargazers_count":138,"open_issues_count":0,"forks_count":5,"subscribers_count":7,"default_branch":"main","last_synced_at":"2024-08-17T08:06:33.907Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Permiso-io-tools.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-15T03:04:49.000Z","updated_at":"2024-08-17T08:06:36.544Z","dependencies_parsed_at":"2024-04-18T04:26:01.826Z","dependency_job_id":"364e9f6e-4686-4319-8c1c-9dd28de4cdd2","html_url":"https://github.com/Permiso-io-tools/CloudConsoleCartographer","commit_stats":null,"previous_names":["permiso-io-tools/cloudconsolecartographer"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Permiso-io-tools%2FCloudConsoleCartographer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Permiso-io-tools%2FCloudConsoleCartographer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Permiso-io-tools%2FCloudConsoleCartographer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Permiso-io-tools%2FCloudConsoleCartographer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Permiso-io-tools","download_url":"https://codeload.github.com/Permiso-io-tools/CloudConsoleCartographer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228829052,"owners_count":17978142,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-17T08:05:13.600Z","updated_at":"2024-12-09T03:31:03.216Z","avatar_url":"https://github.com/Permiso-io-tools.png","language":"PowerShell","funding_links":[],"categories":["others"],"sub_categories":[],"readme":"![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/Cloud-Console-Cartographer.svg \"Cloud Console Cartographer Logo\")\n\n# Cloud Console Cartographer\n**Permiso:** https://permiso.io  \n**Read our release blog:** https://permiso.io/blog/introducing-cloud-console-cartographer-an-open-source-tool-to-help-security-team-easily-understand-log-events-generated-by-aws-console-use\n\nReleased at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability. This is extremely beneficial for defenders since numerous input actions in management console sessions can generate 10's and even many 100's of events originating from a single interactive click by the end user.\n\nAn additional capability that Cloud Console Cartographer provides defenders is the parsing of relevant data from all events related to each mapping. For example, when a user clicks on IAM-\u003eUsers in the AWS Management Console and 100+ events are generated, this framework parses these logs and extracts all IAM users and long-lived access keys that were active at the time the logs were generated. This leads to point-in-time context of the environment and increased levels of visibility into what the user was seeing in the UI at the time of their activity.\n\nAn example of this IAM-\u003eUsers scenario is shown below:\n![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/IAM_Users_Screenshot.png \"IAM Users Screenshot\")\n\nLastly, what framework would be complete without some ASCII art:\n![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/CLI_ASCII_Art.png \"Cloud Console Cartographer ASCII Art\")\n\n## Installation\n\n\u003e```PowerShell\n\u003eImport-Module ./CloudConsoleCartographer.psd1\n\u003e```\n\n## Requirements (main functionality)\n\n\u003e```bash\n\u003epwsh 6+\n\u003e```\n\n## Requirements (UI Visualizer)\n\n\u003e```bash\n\u003epython3.11\n\u003epython3 -m pip install -r ./UI/Code/requirements.txt\n\u003e```\n\n## Usage\n\nThis tool offers a CLI (Command Line Interface) for processing cloud logs and simple displaying of results on the command line. More interactive analysis is better served using the Python UI Visualizer. Let's review its most common use cases:\n\n## Example 1 - Running the tool with local CloudTrail logs and event-level CLI summary\n\nUse the demo CloudTrail session stored in ./Demo to quickly see the power of the framework's aggregation and enhanced explainability, though as later examples will show logs can be piped into this framework's functions without requiring anything being written to disk.\n\n### Note\n\nFirst invoke `Add-Signal` to apply Labels and to perform Signal/mapping evaluation. Then pass these results to one of many output functions.\n\nRun command:\n\n```dir ./Demo/InputEvents.json | Add-Signal -Verbose | Show-EventSummary -Detail signal```\n\n![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/Show-EventSummary_Screenshot.png \"Show-EventSummary Screenshot\")\n\n## Example 2 - Running the tool with CloudTrail logs queried directly from CloudTrail API and session-level CLI summary\n\n```aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=ASIAPERSHENDETJEMIQ1 | Add-Signal | Show-SessionSummary```\n\n![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/Show-SessionSummary_Screenshot.png \"Show-EventSummary Screenshot\")\n\n## Example 3 - Using Python-based UI Visualizer\n\n```cat ./Demo/InputEvents.json | Add-Signal | Show-SessionSummaryUI```\n\n![CloudConsoleCartographer](https://github.com/Permiso-io-tools/CloudConsoleCartographer/blob/main/Images/Show-SessionSummaryUI_Screenshot.png \"Show-SessionSummaryUI Screenshot\")\n\n### Contributing to this project\n\nTo contribute to this project a new Signal definition must be added to `./Code/SignalDefinitions.ps1` (both `LabelType` enum and `Signal` class constructor) and corresponding Labels added to `./Code/AddLabel.ps1`. If Signal metadata requires substitutions (e.g. Summary property being updated with dynamic values extracted from mapped events) then this logic must be defined in `./Code/NewSignal.ps1`. Less common Signal overrides are defined in `./Code/AddSignal.ps1`.\n\nNew unit tests are required for new Signals or modifications to existing Signals. See below for more information.\n\n### Unit tests\n\nNew unit tests can be generated using `New-UnitTest` function (e.g. `dir ./Demo/InputEvents.json | New-UnitTest -Verbose`).\n\nTesting against existing unit tests requires the [Pester](https://pester.dev/docs/introduction/installation/) unit testing framework and can be executed using `Invoke-Pester -TagFilter FullEvent`.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPermiso-io-tools%2FCloudConsoleCartographer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPermiso-io-tools%2FCloudConsoleCartographer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPermiso-io-tools%2FCloudConsoleCartographer/lists"}