In a previous article, we talked about the core differences between SOAR and XDR. And because no SecOps specialist should be without an adequate toolkit, here are some SOAR tools you can try out to up your security automation game. Good hunting and enjoy the read!
Best Open Source SOAR Tools
Let’s get started. This list includes tools designed to accommodate all SOAR needs, from security monitoring and IDS/IDP to threat intelligence, vulnerability assessment, and incident response.
1. Heimdal® Threat-Hunting and Action Center (TAC)
Why choose SOAR over SIEM or the other way around when you can have both?
The Heimdal® Threat-hunting and Action Center is a revolutionary platform that is fully integrated with the Heimdal solution suite.
Designed to provide security teams with an advanced threat-centric view of their IT landscape, the solution employs granular telemetry to enable swift decision-making, using built-in hunting, remediation and actioning capabilities – all managed from the Heimdal Unified Security Platform.
Key Features
- Threat Telemetry View Visualizer – ‘the visual storyboard’ an interactable global view of locations, grouped by endpoints/hostname and risk severity
- Risk Scoring – pre-computed trending and analysis by day/month
- Categorized Events – classified by CVSS-spun severity (i.e., Critical, High, Medium, and Low)
- XTP Engine/MITRE Risk Alerts – pre-computed top 5 alerts by MITRE ATT&CK tactics
- MITRE Threat Visualizer – alternative threat-viewing mode, categorized by MITRE alerts.
- Threat Detection – leverages our state-of-the-art XTP Engine which analyses logs using 2k+ rules trained by our experts and mapped to renowned industry techniques (i.e., MITRE) of alerts based on 1400+ sigma rules
- Threat Classification – XTP Engine powered by MITRE classifications does the heavy lifting when it comes to risk classification and threats based on type, empowering security teams to know where the alert originates (e.g., privilege escalation, persistence, execution, credential access, lateral movement, etc.).
- Threat Hunting – dive straight into groups and hosts that have indicators of compromise (IoCs) across the network and track-down IP locations using globe/map view.
- Threat Investigation – drill into endpoint level for advanced intel including health, risk scores, and more; completely visualized to fuel action or further investigate modules.
- Deep Analysis – our threat-engine aids further investigation/forensics efforts with contextualized detection details including process mapping.
- Remediation – deep intel to review, resolve, aid responders or action a response straight from the suite; complete with logged activity trail and notes.
- Action controls – a hot action widget control panel that spans across detection, remediation action log, audit trails, and recommendations.
- Protection Stats Reporting – a real-time at-a-glance widget that indicates risk levels across the Heimdal activate suite, along with health score and trend analysis over a selected period.
2. Velociraptor
Source: Medium
With no relation to Jurassic Park’s iconic fauna member, Velociraptor can best be described as a lightweight but advanced DFIR ( Digital Forensics and Incident Response) platform, enabling a small SecOps team to investigate artifacts, monitor unusual endpoint activity across a vast digital ecosystem, formulate defense strategies, and mitigate incidents such as data breaches.
Key Features
- Customizable artifacts via VQL (i.e. Velociraptor Query Language).
- Ability to create and customize monitoring rules on endpoint or server.
- Investigate disclosure of data occurrences outside of the environment.
- Ability to investigate various devices and flows.
- Reconstruct malicious activities.
Deployment
Per the official documentation, the easiest way to deploy Velociraptor is through GitHub. However, do bear in mind that this is for evaluation purposes only. The same documentation reveals that Velociraptor’s setup should include three key milestones, along with several in-between steps.
Milestone 1: Server deployment. Three deployment schemes are available: self-signed SSL, cloud deployment, or Instant Velociraptor (see GitHub page).
Milestone 2: Client(s) deployment. Multiple deployment options: interactive setup, custom MSI, Client-as-a-Service, and agentless deployment.
Milestone 3: User authorization.
3. SecurityOnion
Source: SecurityOnion
SecurityOnion is an open Linux, appliance-based security monitoring, log management, and threat-hunting solution capable of adopting multiple third-party, paid, and open-source tools. The solution has powerful plug-and-play features and a high scalability factor.
Key Features
- Community-powered and maintained.
- Multiple data types: agent, alert, asset, extracted content, full content, session, and transaction.
- Seamless integrations with various third-party tools (e.g., Kibana, Logstash, Suricata, Stenographer, Wazuh, CyberChef , Elasticsearch, etc.).
- High scalability factor. A single SecurityOnion-configured appliance can cover up to 1,000 nodes.
- Rich, native web interface.
- Can be integrated with both Azure and Amazon’s AWS.
Deployment
SecurityOnion can be deployed through an installation wizard. Refer to the product’s GitHub page for additional instructions.
4. Arkime
Source: Malcolm
Arkime is an open-source, threat-hunting-oriented packet capture and search tool, boasting a high scalability factor and powerful analytics.
Key Features
- Compute graphically rich connection graphs.
- Create custom SPI (Session Profile Information) pages.
- Web-based platform.
- APIs for JSON and PCAP data.
Deployment
Select the appropriate installation package from the Downloads section and follow the attached documentation.
5. PRADS
Source: LinuxLinks
PRADS (i.e., Passive Real-Time Asset Detection System), sometimes spelled as PRADAS is a passive network traffic analyzer capable of quickly identifying services and active hosts.
Key Features
- Can be integrated with proprietary or third-party IDS/IPS.
- On-demand info dump.
- Advanced scripting.
Deployment
Please review PRADS’ installation documentation for additional information on the deployment process.
6. GRR
Source: SemanticScholar
GRR is an enterprise-grade remote live forensics tool that offers great insight into attack patterns. This open-source solution also allows you to perform lightning-fast event triage and can be expanded to cover any number of endpoints.
Key Features
- Ability to perform detailed endpoint analysis (e.g., CPU usage, RAM, I/O allocation, etc.)
- Analyze raw file system access via the SleuthKit.
- Multi-platform support. GRR is compatible with Windows, Linux, and Mac OSX.
- Fast artifact collection features.
- Automatic scheduling for custom tasks.
- AngularJS Web UI and API for RESTful JSON. Supports Go, Python, and PowerShell, server-side Libraries.
Deployment
GRR deployment is a two-phase process: server setup and client implementation. The server can be installed DEB, HEAD DEB, PIP packages, source, or from the GRR Docker image. Don’t forget about securing access to your newly created GRR server; refer to the documentation for more info. On the client side, use the MSI package or the legacy MSI, depending on the situation.
7. Kansa
Source: Trusted Signal
Kansa is a modular PowerShell incident response framework, compatible with PSv2 and PSv3. The solution allows you to collect data from multiple hosts, investigate data breaches, and create security baselines.
Key Features
- Ability to run modules as standalone utilities.
- Advanced scripting.
- Lightweight.
Deployment
Refer to Kansa’s GitHub documentation for additional information regarding the setup and deployment processes.
8. pfSense
Source: Reddit
pfSense is a web-based router and firewall, with powerful package-allowing features. The solution is a customized variant of the popular FreeBSD, boasting two deployment methods: hardware and cloud.
Key Features
- Advanced firewall and routing features.
- Ability to seamlessly integrate with Azure and AWS.
- Open-source.
Deployment
Use Netgate Store’s pre-loaded package to install and deploy pfSense.
9. ZAProxy
Source: Kali
OWASP’s ZAProxy is an open-source vulnerability scanner with powerful pen-testing capabilities. The product positions itself between the browser and the web application (i.e., man-in-the-middle) allowing the user to perform vulnerability scans, stage fake web attacks, and examine the source code for any vulnerabilities that can be leveraged.
Key Features
- Web-based interface.
- A broad range of vulnerability and pen-testing features.
- Multi-platform support. ZAProxy is compatible with Linux, MacOS, and Windows.
Deployment
Visit the developer’s official website to download the appropriate installation package. Docker images are also available.
10. Sigma
Source: Medium
Sigma is an open signature format that standardizes log file annotations.
Key Features
- Enhance cross-department collaboration.
- Powerful annotation converter.
- Works alongside YARA and IOCs.
Deployment
Please consult Sigma’s GitHub documentation for additional information on setup, deployment, and troubleshooting.
11. MozDef
Source: MozDef
MozDef is Mozilla’s micro-service-based SIEM platform. Inspired by popular, black-hat attack tools, this solution can aid you to automate low-grade security processes and conduc real-time event investigations.
Key Features
- Ability to overlap with Elastisearch.
- Multiple automation tiers (e.g. cloud protections, firewalls, etc.)
- Real-time collaboration.
- Rich security event metrics.
Deployment
Per MozDef’s documentation, this solution can be installed in a Docker Container or launched directly from a CentOS 7-running machine.
- Granular telemetry across endpoints and networks.
- Equipped with built-in hunting and action capabilities.
- Pre-computed risk scores, indicators & detailed attack analysis.
- A single pane of glass for intelligence, hunting, and response.
Conclusion
This wraps up my article on the best open-source tools. Hope you’ve enjoyed it. Before I scoot, I’m going to share with you some things you can try out to get the best out of your SOAR solution.
- Trial and error. There’s nothing wrong with trying out multiple open-source SOAR tools at the same time. It might even give you the edge you need in order to make an educated decision.
- APIs and connectors. Please make sure that the SOAR you choose has the right API connectors. More than that, those connectors must also be customizable.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.