We’ve recently added some new functionality to cloudgrep, the open source tool to search logs in cloud storage. This includes some fantstic contributions from the community too.
You can now run Yara rules with CloudGrep, like so:
cloudgrep -b my-bucket -y path/to/yara_rules_file.yar
In this example, -b my-bucket specifies the AWS S3 bucket to search, -y path/to/yara_rules_file.yar points to the file containing Yara rules. This is useful for scanning binary files in cloudstorage for malware and other patterns.
You can now output any matches in JSON format, making it easier to integrate cloudgrep with other tooling and data-pipelines:
cloudgrep -b my-bucket -q "search query" -jo > output.json
Here, -b my-bucket specifies the bucket, -q "search query" is the search query, and -jo (or –json_output) enables JSON output, storing the output in the file “output.json”.
Many thanks to Daniel Bohannon and Andi from Permiso for this additional functionality.
CloudGrep now supports parsing custom format logs, such as CloudTrail logs.
Command-Line Example:
cloudgrep.py -b my-bucket -q "search query" -lt cloudtrail
This command searches in my-bucket, where -q "search query" is the query, -lt (or –log_type) cloudtrail tells cloudgrep to parse the matching files as cloudtrail.
Many thanks to Daniel Bohannon and Andi from Permiso for this additional functionality too.
Let us know if you have any questions on any of the new features, and we’d love to see any more community contributions.
You can grab the latest release of cloudgrep at https://github.com/cado-security/cloudgrep