Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Russian State-Sponsored APT Actor Compromises U.S. Gov Targets https://us-cert.cisa.gov/ncas/alerts/aa20-296a

Sooty: SOC Analyst's All-in-One Tool

Published: 2020-10-23
Last Updated: 2020-10-23 03:50:34 UTC
by Russ McRee (Version: 1)
0 comment(s)

Sooty was developed with the intent of helping SOC analysts automate parts of their work flow. Sooty serves to perform the more mundane and routine checks SOC analysts typically undertake with the hope of freeing the analyst to conduct deeper analysis in a more efficient and timely manner.

Download or clone Sooty from its GitHub repository.
I cloned Sooty into my tools directory with git clone https://github.com/TheresAFewConors/Sooty.git. You’ll need a current implementation of Python 3.x, and be sure to pull in Sooty’s requirements with pip install -r requirements.txt, I was missing a number of them. You’ll also need drop your API keys into their assigned slots in example_config.yaml and rename it config.yaml. The GitHub repo Requirements and Installation section has links for each of the services you’ll want API keys for, and a few pointers for setting them up properly.
Thereafter, python Sooty.py will get you started. Figure 1 represents the menu you’ll be presented with.

Sooty menu

Figure 1: Sooty menu

I’ve had the recent pleasure of hunting duties and Sooty went to immediate use for preliminary assessment purposes. An instant IP reputation result is seen in Figure 2.

Sooty IP reputation

Figure 2: Sooty IP reputation

Suffice it to say, don’t count that IP on the good guy list.
Figure 3 exhibits a check of one of my email addresses.

Sooty email reputation

Figure 3: Sooty email reputation

The email reputation check includes Have I Been Pwned results, you can see the answer to that question is affirmative.
Sooty option 7 will run URLs through urlscan.io as seen in Figure 4.

Sooty URL scan

Figure 4: Sooty urlscan

The decoders, DNS, and phishing checks are handy for…you know…decoding, DNS, and phishing checks as follows.
Decoders: ProofPoint, URLs, Office SafeLinks, URL unShortener, Base64, and Cisco Password 7.
DNS: Reverse DNS, DNS, and WHOIS lookups
Phishing: Analyze Email, Email Addresses for Known Activity, Generate an Email Template based on Analysis, Analyze an URL with Phishtank, and HaveIBeenPwned

I’m also fond of the hashing functions, particularly Option 3: Check a hash for known malicious activity. As seen in Figure 5, Sooty calls the VirusTotal API, and results are returned very quickly.

Sooty hash check

Figure 5: Sooty hash check

This is an incredibly handy, convenient tool, it really does deliver as promised, I can vouch for it during real operations, not just toolsmith lab time. I do hope support continues for it. Give it a go and enjoy!

Cheers…until next time.

Russ McRee | @holisticinfosec

Keywords: BlueTeam DFIR SOC Sooty
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon
Oct 22nd 2020
1 day ago by Jan (0 comments)

Shipping dangerous goods
Oct 21st 2020
2 days ago by Daniel (0 comments)

Mirai-alike Python Scanner
Oct 20th 2020
3 days ago by Xme (0 comments)

File Selection Gaffe
Oct 18th 2020
5 days ago by DidierStevens (0 comments)

CVE-2020-5135 - Buffer Overflow in SonicWall VPNs - Patch Now
Oct 17th 2020
6 days ago by Rick (0 comments)

View All Diaries →

Latest Discussions

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 week ago by Anonymous (2 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 month ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
1 month ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
2 months ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 week ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
1 week ago by Brad (0 comments)

What's in Your Clipboard? Pillaging and Protecting the Clipboard
Sep 11th 2020
1 month ago by Rob VandenBrink (0 comments)

Today, Nobody is Going to Attack You.
Oct 7th 2020
2 weeks ago by Johannes (0 comments)

send lots of email to money@stifortunes.com