ELK

Zeek
Sigma
Yara
TheHive
Cortex
Arkime
Suricata
Trivy
Metasploit
Burpsuite Community

Honeypots

OSSEC: An open source intrusion detection system that monitors log files, file
integrity, rootkits, and other security-related events.

Zeek: A powerful network analysis framework that can capture and analyze network
traffic and generate logs for analysis.

Wireshark: A widely-used network protocol analyzer that allows SOC analysts to

inspect network traffic in real-time and troubleshoot network issues.

Bro/Zeek IDS: A powerful network security monitoring system that can detect and
analyze network activity.

TheHive: An open source incident response platform that can be used to manage and
track security incidents.
Scalable open source solution that provides a security incident response
platform (Collaborate, Elaborate, Analyze)

ELK Stack: A combination of Elasticsearch, Logstash, and Kibana, which can be used
to collect, parse, and visualize log data from multiple sources.

OpenIOC: An open source framework for sharing indicators of compromise (IOCs)

across different security tools and platforms.

Yara: A pattern matching tool that can be used to identify and classify malware and
other malicious files.

Snort: Snort is an open source intrusion detection and prevention system that can
be used to monitor network traffic for suspicious activity. SOC analysts can use
this tool to detect and respond to attacks in real-time.

Wireshark: Wireshark is an open source network protocol analyzer that allows SOC
analysts to capture and analyze network traffic. This tool is useful for detecting
network anomalies, identifying security threats, and troubleshooting network
issues.
OSSEC: OSSEC is an open source host-based intrusion detection system (HIDS) that
can be used to monitor server logs and system files for signs of suspicious
activity. SOC analysts can use this tool to detect and respond to threats on their
servers.

Suricata: Suricata is an open source intrusion detection and prevention system

(IDS/IPS) that can be used to monitor network traffic for suspicious activity. This
tool is useful for detecting and responding to network attacks in real-time.

Moloch: Moloch is an open source network packet capture and indexing system that
can be used to store and analyze large amounts of network traffic. SOC analysts can
use this tool to search for specific network events and identify security
incidents.

MISP - A threat intelligence platform that enables sharing, storing, and

correlation of indicators of compromise.

YARA - A tool used for malware detection and classification based on pattern
matching.

Nmap - A network exploration and security auditing tool that can be used for
vulnerability scanning and network mapping.

IDS, network metadata

- Suricata
- Snort
- Zeek (formerly Bro)

Full Packet Capture

- Arkime (formerly Moloch)
- Google stenographer
- Netsniff-ng

Distributions
- Security Onion
- RockNSM

Osquery - Operating system instrumentation, monitoring, and analytics framework

driven by SQL. Supports Linux, macOS, and Windows.
An operating system is exposed as a high-performance relational database
via Osquery. This enables you to investigate operating system data using SQL
queries. SQL tables with Osquery
describe abstract notions such as operating processes, loaded kernel
modules, open network connections, browser plugins, and file hashes.