Essential links for SOC Analysts

Hi everyone. Previously, I shared an article on Essential tools for SOC analysts. Here I wanted to share a link-based post essential inventory lists for SOC analysts. SOC analysts always have their own private inventories. Here, I have listed the fundamental links that can be taken as a basis and can be useful for you. I think it can be especially useful for CTI (Cyber Threat Intelligence) analysts in the SOC unit. Have a good read so far.

VirusTotal

Virustotal URL is a well-known and frequently used tool for detecting viruses, trojans, and other malware. It also has dynamic analysis for the indicator you want to analyze. Virustotal uses Cuckoo Sandbox for dynamic analysis. It supports the size of the installed Indicator up to 650 MB. There are things that make Virustotal different from other solutions. Virustotal gives the analysis results according to the results of the Antivirus solutions installed on it. If there is an indicator that you want to analyze, you can conclude which antivirus software detected or failed to detect. Link.

Hyrib-Analysis

Hyrib-Analysis is a free-to-use platform for malicious malware analysis. It performs malware analysis as static and dynamic analysis. It also gives the results of the analysis according to the results of Crowdstrike, MetaDefender and Virustotal. The maximum file upload size is 100 MB. There are especially YARA and String search options for Threat Hunting. Link.

MetaDefender

It is a tool that can be used to search for Domain, IP address, file, URL, Hash and CVE. The most important feature that distinguishes MetaDefender from others is that it allows CVE searches (I like this feature). It can show you one resource about the CVE you want to search, all at once. It has advanced capabilities for sandbox scanning. There are options such as Operating system, Duration, Browser for the file you want to send to Sandbox. It would not be wrong to say that MetaDefender has a strong community. Link.

AlienVault

AlienVault has always been a prominent platform with its up-to-date and powerful database structure. It offers you another indicator in connection with the indicator you want to search. If you always want detailed information for your indicator, AlienVault is the right tool. It also allows you to search and search indicator types for you in the form of Email, Mutex, URI, Hostname, Osquery, SSL certificates. It gives information about which APT groups the Indicator has and which industries it targets. Link.

Joe Sandbox

Joe Sandbox is a sandbox solution that performs detailed analysis for your indicator. Joe Sandbox has a large database structure for malware. You can view important results for Indicators searches such as advanced Behavoir Graph, Network Map, Contacted Public IPs, Contacted Domains, Contacted URLs. You can get comprehensive information by searching the indicator you have on Joe Sandbox. Joe Sandbox excels at presenting reports. But you must be a member to throw an indicator that is not in Joe Sandbox to the sandbox. It contains a wide variety of options and capabilities for sandbox use. You can choose which OS and devices (Android, IOS) the file you want to analyze should be performed. Link.

filescan.io

It is a free IOC based malware analysis service that you can search for File Name, URL, IP, Domain and Hash. You can analyze the suspicious URLs and files instantly by forwarding them to the Sandbox solution. It allows uploading files up to 100 MB. It also allows to display results such as Yara Rules, Strings and MITRE Techniques during analysis. Link.

ThreatFox

The malicious IOC(sha256) database platform provided by abuse.ch. ThreatFox database is up to date. It also indicates which malware family the found malicious IOC(sha256) belongs to. Link.

AbuseIPDB

AbuseIPDB is a useful project that allows you to check the IP or Domain that you see as suspicious. There are comments about IP addresses that are detected as malicious. Link.

URLVoid

URLVoid is a reputation checker that checks for potentially malicious URLs you see as suspicious. It provides information such as DNS records and Whois lookup for the URL you are browsing. Link.

Cisco Talos

It is a powerful platform where you can search for indicators that you think may be harmful, such as IP, domain, or network owner, hostname. It displays results such as reputation and block lists for the indicator. In addition, Cisco Talos has a strong blog structure. For example, the Vulnerability Reports section is extremely useful. Link.

PhishTank

PhishTank is an anti-phishing site and free community site where anyone can submit, verify, track and share phishing data. PhishTank is powered by the Cisco Talos Intelligence Group. Link.

MxToolbox

MxToolBox is a powerful platform where you can make IP, Domain, DNS based queries. Blacklist control is done in MxToolBox and can be viewed in records such as DMARC, SPF, PTR. It is extremely useful for research you suspect for phishing purposes. Link.

PS: As you know, unpleasant events are taking place between Russia and Ukraine at the moment. These events had a slight influence on a part of this article. I thought about adding any.run to the list. But I learned that any.run is not used by SOC analysts because it is a Russia-based solution. I’m not a racist person, but it’s up to you whether to use it or not.

The song for this article is in spanish. Enjoyable listening. Thanks for taking the time to care.