Log in




CARMEN, Centre of Log Analysis and Mining of Events, is a tool developed by the National Cryptologic Centre and the company S2Grupo to identify compromises by advanced persistent threats (APTs), and is the first tool based on Spanish technology and know-how.

CARMEN is a tool that collects, processes and analyzes information to generate intelligence mainly from the network traffic. It is made up of agents that compile traffic flows (collection elements), a database engine where information is inserted and a web application that allows representing and checking the collected information so that analysts can work on it and make decisions based on the results provided by the tool.

The data sources which CARMEN is able to work with are listed below:

· Proxy logs

· Passive HTTP

· Passive DNS

· Passive SMTP

· Monitoring and storage of IPC data

CARMEN allows applying predefined rules to every data source to detect undue use and, particularly, to detect significant anomalies (statistics, text chains, temporary series and based on knowledge) that may indicate that the organization has been compromised, and to define and integrate know-how in the tool, ranging from IOC to conditions of the anomaly.

CARMEN intends to identify external movement (C&C servers and ex filtration servers) and lateral movements of an advanced persistent threat. The collection and analysis capabilities of the tool cover the main external communication channels of these threats (web navigation, DNS consultation and email), and different mechanisms of internal communication of the compromised network.

In addition to the persistence stage, CARMEN provides capabilities to detect the threat at the intrusion stage, mainly anomaly conditions to detect common mechanisms of entry, such as watering hole or exploit kits, and deployment and integration of sandboxing capabilities to detect spear phishing.

More information


PGP Key Download

FINGERPRINT 2C2D 85AE E476 BFE1 ED48 A258 3110 0D8F 6C55 272A

Go back

Este sitio web utiliza cookies propias y de terceros para el correcto funcionamiento y visualización del sitio web por parte del usuario, así como la recogida de estadísticas. Si continúa navegando, consideramos que acepta su uso. Puede cambiar la configuración u obtener más información. Modificar configuración