Cirrus is a command-line tool written in Python to facilitate environment access and evidence collection across Google Cloud. Cirrus has been designed to support incident response and threat hunting operations. Sygnia created Cirrus and an associated blog series (Foundations & Forensic Artifacts) to help solve gaps with incident response in Google Cloud.
Cirrus is composed of two scripts:
- Assistant: automate Google Cloud access setup and cleanup
- Collector: collect log, configuration, and user data
The Assistant script is responsible for automating access prerequisites to a Google Cloud environment in preparation for evidence collection by the Collector. The Assistant script is built for execution in Google Cloud Shell, while the Collector script can be executed from any terminal. The Collector script utilizes a service account key file to authenticate to a Google Cloud environment, which can be generated through the Assistant script or manual creation.
To prepare a Google Cloud environment for evidence collection, reference Assistant documentation.
To collect evidence from Google Cloud, reference Collector documentation.
- Itay Angi (@NG-Syg)
- Wesley Guerra (@wrguerra)
- @yogevyuval - Provided code review.
- @yuvalmarciano - Provided code review.