I spotted an article on the SANS InfoSec Handlers Diary Blog where the author described a tool for Security Operations Engineers named Sooty:
It’s a command line tool predominantly seeking to put the day to day tasks of analysing attacks and enterprise defence at the fingertips of the analyst.
As a tool it is very task oriented, when you run it you are presented with a list of options:
You then select your options and answer the prompts and away you go. It took a little more effort to install that I wanted to I have documented my findings here in this article.
Installation on WSL2
My primary shell is Ubuntu on WSL2 running on my Windows 10 laptop:
The recommended install process is to clone the repository:
You will also need to make sure that
python3-tk0 is installed:
You will then need to install Sooty dependencies are installed:
Then configure sooty by copying
config.yaml and copying in your API keys:
- Virus Total API—****click on your profile in the top right hand corner then select API Key.
- AbuseIPDB— visit APIv2 in your profile
- UrlScan— visit your UrlScan profile
- HaveIBeenPwned — sign up to the API on the site (USD $3.5/month)
- EmailRep.io — Request a key
- PhishTank— Create an application
Most of these services have free-tiers which will get you started and even if you don’t add any API Keys there is still a lot of functionality you will find useful.
Once you are done you can run
python3 Sooty.py to test everything works; I have also setup an alias in my profile so I only need to type
Once you’re done try and integrate it into your workflow, if you are anything like me you will find yourself far more productive in a few hours.