SocAnalystArsenal

This tool is used to give a quick structure to a SOC level 1 ticket. I used Selenium to gather infomation regarding an attack from our company's SIEM/IDS then I use that information with APIs from urlscan.io, abuseipdb, urlhaus, virustotal to collect more information by parsing json files and creating a basic structure that will be copied to the clipboard once done. While this tool is running the L1 Soc User can save time because he don't need to copy and paste information from the siem to other threat analysing websites and then coping that information to a ticket so he can do more advanced analysis of a threat and the quality of a ticket will increase rapidly.

ToDo

• create a ticket from all the information gathered and copy it to clipboard and give notification to user
• add some colors
• collect IOCs from virustotal json
• open to new enhancements
• timeout option for abuseipdb and other requests
• do more testing with siem
• do more testing in manual mode
• add keywords function and check google for mitigations... also open tabs regarding those mitigations
• maybe create a basic database of tickets that are been created
• do some research on victim domain/IP
• try to integrate semi-manual mode
• if no results found don't notify
• check certificate and find other domains/website created by the same user using censys

Usage

          _______
         /      /,      ;___________________;
        /      //       ; Soc-L1-Automation ;
       /______//        ;-------------------;
      (______(/             danieleperera
      
usage: Soc-L1-Automation [-h] [-m] [--version] [--ip IP [IP ...]] [--sha SHA_SUM] [-v]

optional arguments:
  -h, --help         show this help message and exit
  -m, --manual-mode  To enter manual mode use this option
  --version          show program's version number and exit
  --ip IP [IP ...]   give a list of potential malicious ip addresses
  --sha SHA_SUM      Add SHA values to a list
  -v, --verbose      Use this flag to get full data from APIs

Overview

This code will use API to gather information regarding the data that you are giving it.

Getting Started

Before you start using this tool, you should register and login to these website and get your API keys. Please NOTE DOWN the API keys, some websites will show you the API keys only once.

Prerequisites

You need python version > 3.7

 python --version

After you checked that you have the correct version of python

 git clone https://github.com/danieleperera/SocAnalystArsenal/

to clone this repo on your pc.

Then add your API keys to the api1.json it is inside /res/api/ and rename the api1.json to api.json

mv api1.json api.json

Installing

To install the required packages please use this metod

python setup.py install

Then run

pipenv sync

You should be ready to go.

Running the tests

Additional details are coming soon.

Break down into end to end tests

Additional details are coming soon.

Give an example

And coding style tests

Additional details are coming soon.

Give an example

Deployment

This project can be deployed on Cloud too. More Additional details are coming soon.

Built With

• Python - 100%

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

Author

• Daniele Perera - Mr. Px0r

See also the list of contributors who participated in this project.

License

This project is licensed under the MIT License - see the LICENSE.md file for details