When it comes to incident response and Azure Sentinel, the Azure Sentinel is one piece of the puzzle, a big one. Still, we need to make sure that we have got the additional and proper tools to make the whole investigation, analysis, threat hunting, and their actions part of the IR and complete the puzzle.
The tools below provide valuable tools for IR, SOC, case management, and other teams. The tools can be used as standalone actions but can be part of your SOC team and SIEM solution, including when working with Azure Sentinel.
Note: The list will be updated from time to time.
-
Redline – is endpoint security tool that can host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
-
Memoryze is memory forensic that help incident responders find evil in live memory. Memoryze can acquire and analyze memory images, and live systems can include the paging file in its analysis.
-
Fakenet-NG – is open source and designed for the latest versions of Windows and Linux (Linux has some restrictions). FakeNet-NG is based on the FakeNet tool developed by Andrew Honig and Michael Sikorski. The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services.
-
Floss is an open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files.
-
Flare-VM is open-sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux,
-
Regshot helps you to take snapshots of the registry before and after performing a task or executing a file and then compare it to find the difference.
-
CaptureBAT helps to capture behavior with a parent-child relationship when executing a process/file.
-
PEStudio help you to find suspicious artifacts within executable files to ease and accelerate Malware Initial Assessment.
-
FTKImager is a popular imaging tool, lets you collect evidence of an incident and use it in further analysis.
-
SysInternals is a roubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and helps files.
-
Registry Browser is a tool for searching and reporting of the entire registry at once (instead of on a hive-by-hive basis).
-
Rootkit Revealer scans and lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
-
XAMPP allows you to build a web server, DB quickly to perform malware analysis.
-
Beagle is an Incident response and digital forensics tool which transforms data sources and logs into graphs. Supported data sources include FireEye HX Triages, Windows EVTX files, SysMon logs, and Raw Windows memory images.
-
HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
-
ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP.
-
PhishTank is a threat intelligence about phishing sites
-
Spamhaus tracks spam and related cyber threats such as phishing, malware, and botnets, provides real-time actionable and highly accurate threat intelligence.
-
PhishStats is a tool for phishing Statistics.
-
Cisco Talos is a comprehensive threat intelligence.
-
IPvoid is a tool for discover details about IP addresses, IP blacklist check, whois lookup, dns lookup, ping, and more.
-
Cyren IP – identifies and tracks IP addresses and ranks them according to their reputation.
-
IPQualityScore is a tool for lookup IP reputation history which could indicate SPAM issues, threats, or elevated IP fraud scores
-
Virustotal is a threat intelligence for Files, IPs, URLs from 60+ sources.
-
HetrixTools Blacklist Monitor your IPs and Domains
-
Metadefender Threat intelligence for Files, IPs, URLs, CVE, Domain
-
FireEye OpenIOCs Contains IOCs related to multiple APTs
-
IntelMQ is a tool for collecting and processing security feeds (such as log files)
-
threatfeeds.io Free and open-source threat intelligence feeds.
-
ThreatMiner Data mining for threat intelligence
-
VirusShare is a collection of malware used for malware analysis and machine learning.
-
Mrlooquer improve security by assessing the risk and exposure of public asset inventory.
-
IOC Finder a free tool for collecting host system data and reporting the presence of IOCs.