CYBERSECURITY PADAWAN

In a previous article, we talked about the core differences (and similarities) between SOAR and XDR. And because no SecOps specialist should be without an adequate toolkit, here are some SOAR tools you can try out to up your security automation game. Good hunting and enjoy the read!

Best Open Source SOAR Tools

Let’s get started. This list includes tools designed to accommodate all SOAR needs, from security monitoring and IDS/IDP to threat intelligence, vulnerability assessment, and incident response.

1. Velociraptor

Overview

With no relation to Jurassic Park’s iconic fauna member, Velociraptor can best be described as a lightweight but advanced DFIR (i.e. Digital Forensics and Incident Response) platform, enabling a small SecOps team to investigate artifacts, monitor unusual endpoint activity across a vast digital ecosystem, formulate defense strategies, and mitigate incidents such as data breaches.

Features

  • Customizable artifacts via VQL (i.e. Velociraptor Query Language).
  • Ability to create and customize monitoring rules on endpoint or server.
  • Investigate disclosure of data occurrences outside of the environment.
  • Ability to investigate various devices and flows.
  • Reconstruct malicious activities.

Deployment

Per the official documentation, the easiest way to deploy Velociraptor is through GitHub. However, do bear in mind that this is for evaluation purposes only. The same documentation reveals that Velociraptor’s setup should include three key milestones, along with several in-between steps.

Milestone 1: Server deployment. Three deployment schemes are available: self-signed SSL, cloud deployment, or Instant Velociraptor (see GitHub page).

Milestone 2: Client(s) deployment. Multiple deployment options: interactive setup, custom MSI, Client-as-a-Service, and agentless deployment.

Milestone 3: User authorization.

2. SecurityOnion

Overview

SecurityOnion is an open Linux, appliance-based security monitoring, log management, and threat-hunting solution capable of adopting multiple third-party, paid, and open-source tools. The solution has powerful plug-and-play features and a high scalability factor.

Features

  • Community-powered and maintained.
  • Multiple data types: agent, alert, asset, extracted content, full content, session, and transaction.
  • Seamless integrations with various third-party tools (e.g., Kibana, Logstash, Suricata, Stenographer, Wazuh, CyberChef , Elasticsearch, etc.).
  • High scalability factor. A single SecurityOnion-configured appliance can cover up to 1,000 nodes.
  • Rich, native web interface.
  • Can be integrated with both Azure and Amazon’s AWS.

Deployment

SecurityOnion can be deployed through an installation wizard. Refer to the product’s GitHub page for additional instructions.

3. Arkime

Overview

Arkime is an open-source, threat-hunting-oriented packet capture and search tool, boasting a high scalability factor and powerful analytics.

Features

  • Compute graphically rich connection graphs.
  • Create custom SPI (Session Profile Information) pages.
  • Web-based platform.
  • APIs for JSON and PCAP data.

Deployment

Select the appropriate installation package from the Downloads section and follow the attached documentation.

4. PRADAS

Overview

PRADS (i.e., Passive Real-Time Asset Detection System), sometimes spelled as PRADAS is a passive network traffic analyzer capable of quickly identifying services and active hosts.

Features

  • Can be integrated with proprietary or third-party IDS/IPS.
  • On-demand info dump.
  • Advanced scripting.

Deployment

Please review PRADS’ installation documentation for additional information on the deployment process.

5. GRR

Overview

GRR is an enterprise-grade remote live forensics tool that offers great insight into attack patterns. This open-source solution also allows you to perform lightning-fast event triage and can be expanded to cover any number of endpoints.

Features

  • Ability to perform detailed endpoint analysis (e.g., CPU usage, RAM, I/O allocation, etc.)
  • Analyze raw file system access via the SleuthKit.
  • Multi-platform support. GRR is compatible with Windows, Linux, and Mac OSX.
  • Fast artifact collection features.
  • Automatic scheduling for custom tasks.
  • AngularJS Web UI and API for RESTful JSON. Supports Go, Python, and PowerShell, server-side Libraries.

Deployment

GRR deployment is a two-phase process: server setup and client implementation. The server can be installed DEB, HEAD DEB, PIP packages, source, or from the GRR Docker image. Don’t forget about securing access to your newly created GRR server; refer to the documentation for more info. On the client side, use the MSI package or the legacy MSI, depending on the situation.

6. Kansa

Overview

Kansa is a modular PowerShell incident response framework, compatible with PSv2 and PSv3. The solution allows you to collect data from multiple hosts, investigate data breaches, and create security baselines.

Features

  • Ability to run modules as standalone utilities.
  • Advanced scripting.
  • Lightweight.

Deployment

Refer to Kansa’s GitHub documentation for additional information regarding the setup and deployment processes.

7. pfSense

Overview

pfSense is a web-based router and firewall, with powerful package-allowing features. The solution is a customized variant of the popular FreeBSD, boasting two deployment methods: hardware and cloud.

Features

  • Advanced firewall and routing features.
  • Ability to seamlessly integrate with Azure and AWS.
  • Open-source.

Deployment

Use Netgate Store’s pre-loaded package to install and deploy pfSense.

8. ZAProxy

Overview

OWASP’s ZAProxy is an open-source vulnerability scanner with powerful pen-testing capabilities. The product positions itself between the browser and the web application (i.e., man-in-the-middle) allowing the user to perform vulnerability scans, stage fake web attacks, and examine the source code for any vulnerabilities that can be leveraged.

Features

  • Web-based interface.
  • A broad range of vulnerability and pen-testing features.
  • Multi-platform support. ZAProxy is compatible with Linux, MacOS, and Windows.

Deployment

Visit the developer’s official website to download the appropriate installation package. Docker images are also available.

9. Sigma

Overview

Sigma is an open signature format that standardizes log file annotations.

Features

  • Enhance cross-department collaboration.
  • Powerful annotation converter.
  • Works alongside YARA and IOCs.

Deployment

Please consult Sigma’s GitHub documentation for additional information on setup, deployment, and troubleshooting.

10. MozDef

Overview

MozDef is Mozilla’s micro-service-based SIEM platform. Inspired by popular, black-hat attack tools, this solution can aid you to automate low-grade security processes and conduc real-time event investigations.

Features

  • Ability to overlap with Elastisearch.
  • Multiple automation tiers (e.g. cloud protections, firewalls, etc.)
  • Real-time collaboration.
  • Rich security event metrics.

Deployment

Per MozDef’s documentation, this solution can be installed in a Docker Container or launched directly from a CentOS 7-running machine.

Heimdal Official Logo
Experience Threat Hunting Like Never Before!
A revolutionary platform that provides security teams with an advanced risk-centric view of their entire IT landscape.
  • Granular telemetry across endpoints and networks.
  • Equipped with built-in hunting and action capabilities.
  • Pre-computed risk scores, indicators & detailed attack analysis.
  • A single pane of glass for intelligence, hunting, and response.
Find out More 30-day Free Trial. Offer valid only for companies.

Conclusion

This wraps up my article on the best open-source tools. Hope you’ve enjoyed it. Before I scoot, I’m going to share with you some things you can try out to get the best out of your SOAR solution.

  1. Trial and error. There’s nothing wrong with trying out multiple open-source SOAR tools at the same time. It might even give you the edge you need in order to make an educated decision.
  2. APIs and connectors. Please make sure that the SOAR you choose has the right API connectors. More than that, those connectors must also be customizable.
  3. Try going hybrid. Why choose SOAR over SIEM or the other way around when you can have both? The Heimdal® Threat-hunting and Action Center is a revolutionary platform that is fully integrated with the Heimdal solution suite. Designed to provide security teams with an advanced threat-centric view of their IT landscape, the solution employs granular telemetry to enable swift decision-making, using built-in hunting, remediation and actioning capabilities – all managed from the Heimdal Unified Security Platform.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.  

Cyber Threat Hunting Techniques & Methodologies

What Is Cyber Threat Hunting? Process, Types and Solutions

10 Free & Open-Source Threat-Hunting Tools for 2023

What Is DevSecOps: Definition, Benefits, and Best Practices

SOAR vs XDR – What Type of Security Approach Benefits Your Organization

SOAR vs SIEM. Definitions, Scopes, And Limitations

Best 10 SIEM Tools to Fuel Up Your Threat-Hunting Grind

SIEM vs Log Management – Definitions, Features, Capabilities, and Deployment

Security Orchestration Automation and Response (SOAR) Basics: Definition, Components, and Best Practices

Security Information and Event Management (SIEM). What It Is and How It Works.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP