Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake
Cisco Talos has introduced EvidenceForge, an open-source tool designed to generate high-fidelity, correlated synthetic security logs across multiple formats. The tool addresses the data bottleneck in detection engineering and SOC training by providing realistic datasets with causal ordering, background noise, and AI-assisted scenario authoring.
Authors: David J. Bianco
Source:
Cisco Talos
Detection / HunterGoogle
What Happened
Cisco Talos has introduced a new free tool called EvidenceForge that creates highly realistic, fake security logs. Security teams often struggle to find good data to train their staff or test their detection systems without exposing real, sensitive company data. EvidenceForge solves this by using AI to help design attack scenarios and then generating consistent, realistic logs across various systems like Windows and Linux. Organizations should consider using this tool to safely train their security analysts and test their defenses with high-quality simulated data.
Key Takeaways
- Cisco Talos has released EvidenceForge, an open-source tool for generating realistic, correlated synthetic security logs.
- The tool uses a single canonical event model to ensure causal and temporal consistency across 20+ log formats, including Windows, Linux, network, and EDR telemetry.
- EvidenceForge leverages AI (Claude/Codex) for scenario authoring and a deterministic Python script for log generation.
- It incorporates sophisticated timing models (like the Hawkes process) and realistic background noise to simulate genuine network environments and user behaviors.
Affected Systems
- Windows
- Linux
- Network Monitoring
- EDR
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article announces a tool for generating synthetic logs to test detections, but does not provide specific detection rules itself.
Detection Engineering Assessment
EDR Visibility: N/A — The article discusses a tool that generates synthetic EDR telemetry, rather than analyzing a specific threat's EDR visibility. Network Visibility: N/A — The article discusses a tool that simulates network visibility and sensor placement, rather than analyzing a specific threat. Detection Difficulty: N/A — This is an informational post about a log generation tool, not a threat report.
Required Log Sources
- Windows Security Events
- Sysmon
- Linux syslog
- Zeek
- Snort
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| If EvidenceForge is used in a hybrid or testing environment, consider hunting for its specific synthetic artifacts or default naming conventions to ensure simulated data does not accidentally pollute production alerts. | SIEM log ingestion pipelines | N/A | Low |
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider evaluating EvidenceForge for generating synthetic log data to test existing detection pipelines and SIEM rules.
Infrastructure Hardening
- N/A
User Protection
- N/A
Security Awareness
- Consider using EvidenceForge to build SOC analyst training programs with scenarios tailored to your specific environment.
- Evaluate using the tool to create repeatable practice exercises that can be regenerated on demand for incident response training.