Sooty: SOC Analysts all-in-one CLI tool to automate and speed up workflow

by ddos ·

Sooty

The SOC Analysts all-in-one CLI tool to automate and speed up workflow.

 

Feature

  • Sanitise URL’s to be safe to send in emails
  • Perform reverse DNS and DNS lookups
  • Perform reputation checks from:
  • Check if an IP address is a TOR exit node
  • Decode Proofpoint URL’s, UTF-8 encoded URLS, Office SafeLink URL’s and Base64 Strings
  • Get file hashes and compare them against VirusTotal (see requirements)
  • Perform WhoIs Lookups
  • Check Usernames and Emails against HaveIBeenPwned to see if a breach has occurred.
  • Simple analysis of emails to retrieve URL’s, emails and header information.
  • Extract IP addresses from emails.
  • Unshorten URL’s that have been shortened by external services. (Limited to 10 requests per hour)
  • Query URLScan.io for reputation reports.
  • Analyze email addresses for known malicious activity and report on domain reputation utilizing EmailRep.io

 

Install

Requirement

  • Python 3.x
  • Install all dependencies from the requirements.txt file. pip install -r requirements.txt
  • To use the Hash comparison with VirusTotal requires an API key, replace the key VT_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
  • To use the Reputation Checker with AbuseIPDB requires an API Key, replace the key AB_API_KEY in the code with your own key. The tool will still function without this key, however, this feature will not work.
  • To use the URLScan.io checker function with URLScan requires an API Key, replace the key ‘URLSCAN_IO_KEY’ in the code with your own key. The tool will still function without this key, however, this feature will not work.

Download

git clone https://github.com/TheresAFewConors/Sooty.git

Use

Source: https://github.com/TheresAFewConors/

Tags: SOC Analysts