Top 10 SOAR Tools to Enhance Your SecOps Experience
Best Open-Source SOAR Tools For Faster Setups.
In a previous article, we talked about the core differences (and similarities) between SOAR and XDR. And because no SecOps specialist should be without an adequate toolkit, here are some SOAR tools you can try out to up your security automation game. Good hunting and enjoy the read!
Best Open Source SOAR Tools
Let’s get started. This list includes tools designed to accommodate all SOAR needs, from security monitoring and IDS/IDP to threat intelligence, vulnerability assessment, and incident response.
With no relation to Jurassic Park’s iconic fauna member, Velociraptor can best be described as a lightweight but advanced DFIR (i.e. Digital Forensics and Incident Response) platform, enabling a small SecOps team to investigate artifacts, monitor unusual endpoint activity across a vast digital ecosystem, formulate defense strategies, and mitigate incidents such as data breaches.
- Customizable artifacts via VQL (i.e. Velociraptor Query Language).
- Ability to create and customize monitoring rules on endpoint or server.
- Investigate disclosure of data occurrences outside of the environment.
- Ability to investigate various devices and flows.
- Reconstruct malicious activities.
Per the official documentation, the easiest way to deploy Velociraptor is through GitHub. However, do bear in mind that this is for evaluation purposes only. The same documentation reveals that Velociraptor’s setup should include three key milestones, along with several in-between steps.
Milestone 1: Server deployment. Three deployment schemes are available: self-signed SSL, cloud deployment, or Instant Velociraptor (see GitHub page).
Milestone 2: Client(s) deployment. Multiple deployment options: interactive setup, custom MSI, Client-as-a-Service, and agentless deployment.
Milestone 3: User authorization.
SecurityOnion is an open Linux, appliance-based security monitoring, log management, and threat-hunting solution capable of adopting multiple third-party, paid, and open-source tools. The solution has powerful plug-and-play features and a high scalability factor.
- Community-powered and maintained.
- Multiple data types: agent, alert, asset, extracted content, full content, session, and transaction.
- Seamless integrations with various third-party tools (e.g., Kibana, Logstash, Suricata, Stenographer, Wazuh, CyberChef , Elasticsearch, etc.).
- High scalability factor. A single SecurityOnion-configured appliance can cover up to 1,000 nodes.
- Rich, native web interface.
- Can be integrated with both Azure and Amazon’s AWS.
SecurityOnion can be deployed through an installation wizard. Refer to the product’s GitHub page for additional instructions.
Arkime is an open-source, threat-hunting-oriented packet capture and search tool, boasting a high scalability factor and powerful analytics.
- Compute graphically rich connection graphs.
- Create custom SPI (Session Profile Information) pages.
- Web-based platform.
- APIs for JSON and PCAP data.
Select the appropriate installation package from the Downloads section and follow the attached documentation.
PRADS (i.e., Passive Real-Time Asset Detection System), sometimes spelled as PRADAS is a passive network traffic analyzer capable of quickly identifying services and active hosts.
- Can be integrated with proprietary or third-party IDS/IPS.
- On-demand info dump.
- Advanced scripting.
Please review PRADS’ installation documentation for additional information on the deployment process.
GRR is an enterprise-grade remote live forensics tool that offers great insight into attack patterns. This open-source solution also allows you to perform lightning-fast event triage and can be expanded to cover any number of endpoints.
- Ability to perform detailed endpoint analysis (e.g., CPU usage, RAM, I/O allocation, etc.)
- Analyze raw file system access via the SleuthKit.
- Multi-platform support. GRR is compatible with Windows, Linux, and Mac OSX.
- Fast artifact collection features.
- Automatic scheduling for custom tasks.
- AngularJS Web UI and API for RESTful JSON. Supports Go, Python, and PowerShell, server-side Libraries.
GRR deployment is a two-phase process: server setup and client implementation. The server can be installed DEB, HEAD DEB, PIP packages, source, or from the GRR Docker image. Don’t forget about securing access to your newly created GRR server; refer to the documentation for more info. On the client side, use the MSI package or the legacy MSI, depending on the situation.
Kansa is a modular PowerShell incident response framework, compatible with PSv2 and PSv3. The solution allows you to collect data from multiple hosts, investigate data breaches, and create security baselines.
- Ability to run modules as standalone utilities.
- Advanced scripting.
Refer to Kansa’s GitHub documentation for additional information regarding the setup and deployment processes.
pfSense is a web-based router and firewall, with powerful package-allowing features. The solution is a customized variant of the popular FreeBSD, boasting two deployment methods: hardware and cloud.
- Advanced firewall and routing features.
- Ability to seamlessly integrate with Azure and AWS.
Use Netgate Store’s pre-loaded package to install and deploy pfSense.
OWASP’s ZAProxy is an open-source vulnerability scanner with powerful pen-testing capabilities. The product positions itself between the browser and the web application (i.e., man-in-the-middle) allowing the user to perform vulnerability scans, stage fake web attacks, and examine the source code for any vulnerabilities that can be leveraged.
- Web-based interface.
- A broad range of vulnerability and pen-testing features.
- Multi-platform support. ZAProxy is compatible with Linux, MacOS, and Windows.
Visit the developer’s official website to download the appropriate installation package. Docker images are also available.
Sigma is an open signature format that standardizes log file annotations.
- Enhance cross-department collaboration.
- Powerful annotation converter.
- Works alongside YARA and IOCs.
Please consult Sigma’s GitHub documentation for additional information on setup, deployment, and troubleshooting.
MozDef is Mozilla’s micro-service-based SIEM platform. Inspired by popular, black-hat attack tools, this solution can aid you to automate low-grade security processes and conduc real-time event investigations.
- Ability to overlap with Elastisearch.
- Multiple automation tiers (e.g. cloud protections, firewalls, etc.)
- Real-time collaboration.
- Rich security event metrics.
Per MozDef’s documentation, this solution can be installed in a Docker Container or launched directly from a CentOS 7-running machine.
- Granular telemetry across endpoints and networks.
- Equipped with built-in hunting and action capabilities.
- Pre-computed risk scores, indicators & detailed attack analysis.
- A single pane of glass for intelligence, hunting, and response.
This wraps up my article on the best open-source tools. Hope you’ve enjoyed it. Before I scoot, I’m going to share with you some things you can try out to get the best out of your SOAR solution.
- Trial and error. There’s nothing wrong with trying out multiple open-source SOAR tools at the same time. It might even give you the edge you need in order to make an educated decision.
- APIs and connectors. Please make sure that the SOAR you choose has the right API connectors. More than that, those connectors must also be customizable.
- Try going hybrid. Why choose SOAR over SIEM or the other way around when you can have both? The Heimdal® Threat-hunting and Action Center is a revolutionary platform that is fully integrated with the Heimdal solution suite. Designed to provide security teams with an advanced threat-centric view of their IT landscape, the solution employs granular telemetry to enable swift decision-making, using built-in hunting, remediation and actioning capabilities – all managed from the Heimdal Unified Security Platform.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.