vulkro-sf logs
Runs the offline Event Monitoring forensics pipeline over exported
EventLogFile data and ships the results to your SIEM. The analysis
happens on your machine: you export the logs once, and Vulkro scores
them against the SF-EVENT-MON-* and SF-SESSION-FP-* rule set without
streaming anything live or leaving an agent in the org. This page covers
logs analyze, logs export, and the related org forensic-snapshot
command.
vulkro-sf logs analyze
Synopsis
vulkro-sf logs analyze --input <path> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--input <path> | string | (required) | Path to the exported EventLogFile data (a directory of CSV log files, or a single exported log). |
--rules <list> | string | (all) | Comma-separated list of SF-EVENT-MON-* rule ids to run. Restricts the analysis to the named rules instead of the full set. |
--tsp-rules | bool | off | Also ingest and correlate Transaction Security Policy events (the SF-EVENT-MON-010 policy-ingestion path). |
--format <fmt> | enum | table | Output format: table (human-readable findings) or json (machine-readable). |
What it does
logs analyze reads the exported log data and runs the offline forensics
detectors over it: failed-login bursts, impossible travel, token reuse,
report and dashboard abuse, the advanced-exfiltration composite score,
sensitive-field tracking, grant-velocity lateral movement, the full
API-abuse scoring band, the Wave 9 event types, and the
device-fingerprint session-anomaly rule. Use --rules to focus a run on
a subset (for example only the authentication signatures during an
incident), and --tsp-rules to fold Transaction Security Policy events
into the same timeline.
vulkro-sf logs export
Synopsis
vulkro-sf logs export --input <path> --format <siem> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--input <path> | string | (required) | Path to the exported EventLogFile data to analyze and export. |
--format <siem> | enum | (required) | Destination format: splunk (HEC-style JSON events), sumo (Sumo Logic JSON), datadog (Datadog log JSON), or ecs (Elastic Common Schema JSON). |
--rules <list> | string | (all) | Comma-separated list of SF-EVENT-MON-* rule ids to run before export. |
--tsp-rules | bool | off | Also ingest and correlate Transaction Security Policy events before export. |
What it does
logs export runs the same analysis as logs analyze and then emits the
findings in the schema of the target SIEM, so they drop straight into an
existing detection pipeline with their MITRE ATT&CK mapping intact:
splunk: JSON events shaped for a Splunk HTTP Event Collector ingest.sumo: JSON shaped for Sumo Logic ingestion.datadog: Datadog log-format JSON.ecs: Elastic Common Schema JSON for an Elastic / OpenSearch pipeline.
--rules and --tsp-rules behave exactly as they do on logs analyze.
vulkro-sf org forensic-snapshot
Synopsis
vulkro-sf org forensic-snapshot --target-org <alias> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--target-org, -o <alias> | string | (required) | The sf CLI org alias or username, as known to sf org login. |
--output <path> | string | (cwd) | Directory to write the snapshot into. |
What it does
org forensic-snapshot captures a point-in-time forensic record of the
live org: the available EventLogFile data plus the identity and posture
state (permission assignments, Connected App configuration, session
policy) needed to reconstruct who could do what at the moment of capture.
This is the artifact to take at the start of an incident response so the
investigation runs against a frozen snapshot rather than an org that is
still changing underneath the analysts. The captured snapshot is the
input you then feed to logs analyze or logs export.
Exit codes
These exit codes apply to every subcommand on this page:
0- completed, no findings (foranalyze/export) or snapshot captured (forforensic-snapshot).1- completed, one or more forensic findings reported.2- error: missing or unreadable input, an unknown rule id or export format, or (forforensic-snapshot) thesfCLI not on PATH, the alias not authenticated, or a network failure. The error message names the cause and the next step.
Privacy
logs analyze and logs export operate entirely on the local exported
files: nothing is read from the org during analysis and nothing is sent
anywhere except the SIEM destination you explicitly export to.
org forensic-snapshot reads EventLogFile and posture metadata through
your sf CLI; the OAuth token stays in the sf CLI credential store on
your machine.
Example
# Analyze an exported log directory, full rule set, table output.
vulkro-sf logs analyze --input ./eventlogs
# Run only the authentication signatures during an incident.
vulkro-sf logs analyze --input ./eventlogs --rules SF-EVENT-MON-001,SF-EVENT-MON-002,SF-EVENT-MON-003
# Export findings to Splunk, including Transaction Security Policy events.
vulkro-sf logs export --input ./eventlogs --format splunk --tsp-rules > splunk-events.json
# Capture a forensic snapshot at the start of an incident.
vulkro-sf org forensic-snapshot --target-org my-prod --output ./ir-snapshot
Where to go next
- Event Monitoring and offline forensics: the full
SF-EVENT-MON-*rule reference, with each rule's MITRE ATT&CK mapping. vulkro-sf limits-report: the API-consumption view that pairs with the API-abuse scoring band.- MITRE ATT&CK Enterprise matrix: https://attack.mitre.org/matrices/enterprise/