This tool is used to give a quick structure to a SOC level 1 ticket. I used Selenium to gather infomation regarding an attack from our company's SIEM/IDS then I use that information with APIs from urlscan.io, abuseipdb, urlhaus, virustotal to collect more information by parsing json files and creating a basic structure that will be copied to the clipboard once done. While this tool is running the L1 Soc User can save time because he don't need to copy and paste information from the siem to other threat analysing websites and then coping that information to a ticket so he can do more advanced analysis of a threat and the quality of a ticket will increase rapidly.
create a ticket from all the information gathered and copy it to clipboard and give notification to useradd some colorscollect IOCs from virustotal json- open to new enhancements
timeout option for abuseipdb and other requests- do more testing with siem
- do more testing in manual mode
- add keywords function and check google for mitigations... also open tabs regarding those mitigations
- maybe create a basic database of tickets that are been created
- do some research on victim domain/IP
try to integrate semi-manual modeif no results found don't notify- check certificate and find other domains/website created by the same user using censys
_______
/ /, ;___________________;
/ // ; Soc-L1-Automation ;
/______// ;-------------------;
(______(/ danieleperera
usage: Soc-L1-Automation [-h] [-m] [--version] [--ip IP [IP ...]] [--sha SHA_SUM] [-v]
optional arguments:
-h, --help show this help message and exit
-m, --manual-mode To enter manual mode use this option
--version show program's version number and exit
--ip IP [IP ...] give a list of potential malicious ip addresses
--sha SHA_SUM Add SHA values to a list
-v, --verbose Use this flag to get full data from APIs
This code will use API to gather information regarding the data that you are giving it.
Before you start using this tool, you should register and login to these website and get your API keys. Please NOTE DOWN the API keys, some websites will show you the API keys only once.
Api | Description | Auth | Link |
---|---|---|---|
virustotal | Check Whois information for IP address/Domain | apikey |
Link |
getipintel | Check check if the IP is a proxy or spoofed | email |
Link |
iphub | Check check if the IP is a proxy or spoofed | apikey |
Link |
shodan | Check information about host and see if it was compromised | apikey |
Link |
apility.io | Check reputation and activity through time | apikey |
Link |
hybrid | Check association with malware | apikey |
Link |
malshare | Check IP address/Domain was used to spread malware | apikey |
Link |
urlhause | Check IP address/Domain was used to spread malware | none | none |
threatcrowd | Check Current status | none | none |
abuseipdb | Check if it's blacklisted | apikey |
Link |
urlscan.io | Check further more information | none | none |
threatminer | Check further more information | none | none |
You need python version > 3.7
python --version
After you checked that you have the correct version of python
git clone https://github.com/danieleperera/SocAnalystArsenal/
to clone this repo on your pc.
Then add your API keys to the api1.json it is inside /res/api/ and rename the api1.json to api.json
mv api1.json api.json
To install the required packages please use this metod
python setup.py install
Then run
pipenv sync
You should be ready to go.
Additional details are coming soon.
Additional details are coming soon.
Give an example
Additional details are coming soon.
Give an example
This project can be deployed on Cloud too. More Additional details are coming soon.
- Python - 100%
Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.
We use SemVer for versioning. For the versions available, see the tags on this repository.
- Daniele Perera - Mr. Px0r
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE.md file for details