CARMEN, Centre of Log Analysis and Mining of Events, is a tool developed by the National Cryptologic Centre and the company S2Grupo to identify compromises by advanced persistent threats (APTs), and is the first tool based on Spanish technology and know-how.

CARMEN is a tool that collects, processes and analyzes information to generate intelligence mainly from the network traffic. It is made up of agents that compile traffic flows (collection elements), a database engine where information is inserted and a web application that allows representing and checking the collected information so that analysts can work on it and make decisions based on the results provided by the tool.


The data sources which CARMEN is able to work with are listed below:

· Proxy logs

· Passive HTTP

· Passive DNS

· Passive SMTP

· Monitoring and storage of IPC data

CARMEN allows applying predefined rules to every data source to detect undue use and, particularly, to detect significant anomalies (statistics, text chains, temporary series and based on knowledge) that may indicate that the organization has been compromised, and to define and integrate know-how in the tool, ranging from IOC to conditions of the anomaly.

CARMEN intends to identify external movement (C&C servers and ex filtration servers) and lateral movements of an advanced persistent threat. The collection and analysis capabilities of the tool cover the main external communication channels of these threats (web navigation, DNS consultation and email), and different mechanisms of internal communication of the compromised network.

In addition to the persistence stage, CARMEN provides capabilities to detect the threat at the intrusion stage, mainly anomaly conditions to detect common mechanisms of entry, such as watering hole or exploit kits, and deployment and integration of sandboxing capabilities to detect spear phishing.

La operación con garantías de CARMEN requiere disponer de una certificación de empresa en aquellos organismos públicos en los que CARMEN se distribuye libre de costes de licencias, como soluciones desarrolladas por el CCN-CERT para el sector Público. Para obtener la certificación de partner de CARMEN, una empresa debe tener un número de profesionales certificados en cada una de las áreas de especialización en función del número de clientes.

El programa da acceso a los servicios de soporte de nivel 1 y nivel 2 son proporcionados por el fabricante (S2 Grupo)

Las empresas con certificación de empresa o en vías de certificación para operar CARMEN en el sector Público libre de costes de licencias, como soluciones desarrolladas por el CCN-CERT:

Nombre Razón social Web Estado de certificación
S2 Grupo S2 Grupo de Innovación en Procesos Organizativos, S.L


CSA Centro Regional de Servicios Avanzados, S.A.


Entelgy Innotec Security InnoTec System, S.L.U.






More information


PGP Key Download

FINGERPRINT 2974 3D59 8414 FCA2 5573 0B5A EDF7 2A3F 1C76 D626


Ministerio de Defensa
Presidencia española. Consejo de la Unión Europea