Sooty: SOC Analysts all-in-one CLI tool to automate and speed up workflow

Sooty

The SOC Analysts all-in-one CLI tool to automate and speed up workflow.

Feature

• Sanitise URL’s to be safe to send in emails
• Perform reverse DNS and DNS lookups
• Perform reputation checks from:
  • VirusTotal
  • BadIP’s
  • Abuse IPDB
• Check if an IP address is a TOR exit node
• Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s and Base64 Strings
• Get file hashes and compare them against VirusTotal (see requirements)
• Perform WhoIs Lookups
• Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.
• Simple analysis of emails to retrieve URL’s, emails and header information.
• Extract IP addresses from emails.
• Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
• Query URLScan.io for reputation reports.
• Analyze email addresses for known malicious activity and report on domain reputation utilizing EmailRep.io

Install

Requirement

• Python 3.x
• Install all dependencies from the requirements.txt file. pip install -r requirements.txt
• To use the Hash comparison with VirusTotal requires an API key, replace the key VT_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
• To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key AB_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
• To use the URLScan.io checker function with URLScan requires an API Key, replace the key ‘URLSCAN_IO_KEY’ in the code with your own key. The tool will still function without this key, however, this feature will not work.

Download

git clone https://github.com/TheresAFewConors/Sooty.git

Use

Source: https://github.com/TheresAFewConors/