Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
awesome-soc
A collection of sources of documentation, as well as field best practices, to build/run a SOC
https://github.com/cyb3rxp/awesome-soc
Last synced: 2 days ago
JSON representation
-
Harden SOC/CSIRT environment
-
Endpoints hardening:
- script
- CIS - us/download/details.aspx?id=55319)
- forest is the AD security boundary
- image
- Wallix PAM
- Microsoft Developer virtual machines
-
-
Must read
-
Endpoints hardening:
- RedTeam resources
- Playbook for ransomware incident response
- SOC/IR hierarchy of needs
- EBIOS RM methodology
- Cyber Defense Incident Responder role
- Purple Team Assessment
- AV / EP / EPP / EDR / XDR
- Security bastion (PAM) and Active Directory tiering mode: how to reconcile the two paradigms?
- list of Windows API and their potential use in offensive security
- OpenIOC format
- TaHiTI (threat hunting methodology)
- EBIOS RM methodology
- Improving Social Maturity of Cybersecurity Incident Response Teams
- Awesome CyberSecurity BlueTeam
- Windows 10 and Windows Server 2016 security auditing and monitoring reference
- how to mange FP in a SOC?
- AD post-compromise checklist
- Market guide for NDR
- Resources inventory
- Best practices for AD disaster recovery
- Isolate Tier 0 assets with group policy
- How to be compliant with NIS2?
- Mitre Engenuity Evaluations 2022 review
- Market guide for NDR
- 11 strategies for a world-class SOC (remaining of PDF)
- Awesome Threat Intel
- AV / EP / EPP / EDR / XDR
- Cyber Defense Incident Responder role
-
-
Critical tools for CSIRT
-
SOC architecture of detection
- UAC
- BloodHound Community
- CrowdStrike Reporting Tool for Azure
- 365Inspect
- FastIR - security/varc), [FireEye Redline](https://fireeye.market/apps/211364), [DFIR-ORC](https://github.com/dfir-orc);
- CIMSweep - Toolkit) but it relies on CrowdStrike EDR, [GRR](https://github.com/google/grr) but it needs an agent to be installed.
- Loki - ORC](https://github.com/dfir-orc)
- Tiny Check
- Yara-rules GitHub repo
- Yara rules repo
- Community Yara rules
- Joe's sandbox - analysis.com/), etc;
- automation
- SIFT Workstation - linux.org/);
- Remnux
- Timesketch - iris.org/)
- CTI's repo
- FireEye Flare-VM
- ScootSuite
- Olaf Hartong's config
- Zircolite - blue-team/DeepBlueCLI), [CrowdSec](https://doc.crowdsec.net/docs/user_guides/replay_mode)
- Sekoia XDR
- Thor Cloud lite
- WithSecure Elements EDR
- Cat-Scale
- Sysinspector
- Velociraptor
- DFIR-ORC
- Sysmon
- Semperis Purple Knight
- ADRecon
- Azure AD Incident Response Powershell
- Windows Defender Offline
-
SOC/CSIRT architecture of detection
-
-
Nice to read
-
Endpoints hardening:
- Awesome Security Resources
- Digital Forensocs Incident Response Git
- Incident playbook
- Microsoft Sentinel queries
- SP800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations)
- AWS Security Fundamentals
- Business Impact Assessment
- RACI template (in French)
- XDR Gartner market guide
- V1D1AN's Drawing: architecture of detection
- RFC2350
- Incident Response & Computer Forensics, 3rd ed
- GDPR cybersecurity implications (in French)
- SANS SOC survey 2022
- Cybersecurity incident and vulnerability response playbooks
- MS Sentinel architecture and recommendations for MSSP
- PAM Magic Quadrant reprint
- Tools inventory
- command line reference
- Sentinel data collection scenarios
- SOCTOM
- PAM Magic Quadrant reprint
- Incident Response & Computer Forensics, 3rd ed
- Analyzing MITRE ATT&CK evaluations 2023
- PTES
- WSTG
- Licensing maps, eg. for Defender
-
-
Other critical tools for a SOC and a CERT/CSIRT
-
SOC architecture of detection
- CyberChef - plus-plus.org/downloads/)
- Azure AD Internals suite - fr/sysinternals/downloads/sysinternals-suite), [MRemoteNG](https://mremoteng.org/)
- GitLab
- OneTimeSecret
- Microsoft SharePoint
- OSINTracker
- LinkedIn Information Security Community group
- EMCO Remote installer
-
SOC/CSIRT architecture of detection
-
-
SOC sensors, nice to have
-
Endpoints hardening:
-
-
Recommended sources
-
SOC architecture of detection
- Michel De Crevoisier's Git
- Netvibes
- Sigma HQ (detection rules)
- Splunk Security content (free detection rules for Splunk)
- SOC Prime
- CERT-FR - US](https://www.cisa.gov/uscert/ncas/alerts)
- CISA catalog
- CVETrends
- Top 0days "in the wild"
- ISC
- Xposed
- TheRecord.media - manage.com/subscribe?u=403249ad144b732517b9fca94&id=041976f275)
-
-
For a SOC
-
For a CERT/CSIRT
- IR lessons on cloud ID compromise
- ForensicsArtefacts
- CERT-in-a-box
- CSIRT Services Framework
- Good practice for incident management
- Incident Response whitepaper
- SP800-86, integration forensics techniques into IR
- Incident response reference guide
- Security incident management according to ISO 27005
- Incident Response Playbook: Dark Web Breaches
- IR playbooks
- Incident Response Playbook: Dark Web Breaches
- IR Mitigations tasks
-
Globally (SOC and CERT/CSIRT)
- Blue Team Notes
- SP800-61 rev3, incident handling guide
- Mappings explorer
- SaaS attack matrix
- Threat Matrix for Azure Storage services
- Threat Matrix for AI-systems
- Best practices for automating SecOps workflow
- "While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack... initial investigations suggest that an error in the implementation of our defences amplified the impact of the attack rather than mitigating it"
- Security 360
- Cybersecurity framework
- How to set-up a CSIRT and SOC
- SP800-61 rev2, incident handling guide
- ATT&CK: Getting started
- SIRP / SOA / TIP benefits
- Cyber Threat readiness report 2023
- Market Guide for Security Orchestration, Automation and Response Solutions
- Security orchestration for dummies
- CVSS v4 specs
- STIX
- TLP - policy/)
- 18 critical security controls
- Cybersecurity business value benchmark
- NIS2, how to address the security control gaps
- Market Guide for Security Orchestration, Automation and Response Solutions
- Security 360
- Compromise assessment methodology
- NIS2 10 main requirements
- What is SecOps
- What is SecOps
- Visual Threat Intelligence
- CSIRT, SOC, ISAC and PSIRT definitions
- How will NIS2 impact your organization?
-
SOC and CSIRT core
-
From logs to alerts: global generic workflow
-
SOC/CSIRT architecture of detection
-
-
SOC core
-
From logs to alerts: global generic workflow
-
SOC architecture of detection
-
-
Critical tools for a SOC/CSIRT
-
SOC/CSIRT architecture of detection
- Gartner magic quadrant
- IBM Resilient - project.org/), [SwimLane](https://swimlane.com/), [PAN Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar)
-
SOC architecture of detection
- SwimLane - project.org/), [PAN Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar)
- TIP
- Gartner magic quadrant
- SOA
- SIEM
- overview of SOAR providers
- Microsoft Azure Sentinel - io-xdr/), [Splunk](https://www.splunk.com), [Graylog](https://graylog.org/).
- Gartner magic quadrant - 2HXU226Z&ct=240626&st=sb)
- SOAR Data quadrant awards
-
-
Critical sensors for a SOC
-
SOC/CSIRT architecture of detection
- Gartner magic quadrant
- Gartner magic quadrant - engenuity.org/), and [Forrester Wave](https://www.crowdstrike.com/resources/reports/crowdstrike-recognized-as-dominant-endpoint-solution-with-superior-vision/)
-
SOC architecture of detection
- Endpoint Detection and Response
- Microsoft Defender for Office365 - reference/email-gateway), [Mimecast](https://www.mimecast.com/products/email-security/secure-email-gateway/), [WithSecure Elements Collaboration Protection](https://www.withsecure.com/en/solutions/software-and-services/elements-collaboration-protection)
- Gartner reviews and ratings
- Gartner magic quadrant - nurture-2023_2/report-forrester-wave-endpoint-security-q4-2023?cid=emm%7Cb%7Chubspot%7Cnrt-epp-2023&utm_campaign=nurture-epp-2023&utm_medium=email&_hsmi=280555694&utm_content=280555694&utm_source=hs_automation)
- Microsoft Defender - more-about-endpoint-protection/), [BitDefender](https://www.bitdefender.fr/business/products/workstation-security.html).
- Gartner magic quadrant - engenuity.org/), and [Forrester Wave](https://www.crowdstrike.com/resources/reports/crowdstrike-recognized-as-dominant-endpoint-solution-with-superior-vision/)
- SentinelOne - us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide), [Harfanglab](https://www.harfanglab.io/en/block-cyberattacks), [ESET XDR](https://www.eset.com/int/business/enterprise-protection-bundle/), [WithSecure Elements EDR](https://www.withsecure.com/us-en/solutions/software-and-services/elements-endpoint-detection-and-response), [CrowdStrike Falcon EDR](https://www.crowdstrike.com/wp-content/uploads/2022/03/crowdstrike-falcon-insight-data-sheet.pdf), [Tanium](https://www.tanium.com/products/tanium-threat-response/), [Wazuh](https://wazuh.com/)
- Secure Web Gateway
- Gartner magic quadrant
- BlueCoat Edge SWG - access-service-edge-sase/index.html), [Zscaler Cloud proxy](https://www.zscaler.com/resources/security-terms-glossary/what-is-cloud-proxy), [Netskope](https://www.netskope.com/security-defined/what-is-casb).
- Identity Threat Detection and Response
- Semperis Directory Services Protector
- Intrinsec (in French) - surface-management), [Qualys EASM](https://www.qualys.com/apps/external-attack-surface-management/)
- ImmuniWeb
- Cloud Access Security Broker
- Gartner magic quadrant
- Microsoft MCAS - white-papers-data-protection-challenges?_bt=534426399999&_bk=%2Bzscaler%20%2Bcasb&_bm=b&_bn=g&_bg=121807608181&utm_source=google&utm_medium=cpc&utm_campaign=google-ads-na&gclid=CjwKCAjwu5yYBhAjEiwAKXk_eKLlKaMfJ-oGYItPTHguAmCA_b9WP0zNZgLPqGKjfC19IGmQFFG_9RoCgJAQAvD_BwE), [Netskope](https://www.netskope.com/security-defined/what-is-casb).
- AD decoy acounts - directory-a-canary-under-your-hat/)
- Semperis Purple Knight
- Gartner magic quadrant - engenuity.org/), and [Forrester Wave](https://www.crowdstrike.com/resources/reports/crowdstrike-recognized-as-dominant-endpoint-solution-with-superior-vision/)
- Secure Email Gateway
- Forrester wave for SSE
- Identity Threat Detection and Response
-
-
Disconnect (as much as possible) SOC from monitored environment
-
Have a single and centralized platform ('single console')
-
SOC architecture of detection
-
Programming Languages
Categories
Critical tools for CSIRT
35
Globally (SOC and CERT/CSIRT)
32
Must read
28
Nice to read
27
Critical sensors for a SOC
25
SOC sensors, nice to have
13
For a CERT/CSIRT
13
For a SOC
12
Recommended sources
12
Critical tools for a SOC/CSIRT
11
Other critical tools for a SOC and a CERT/CSIRT
9
Harden SOC/CSIRT environment
6
Disconnect (as much as possible) SOC from monitored environment
4
SOC core
3
SOC and CSIRT core
2
Have a single and centralized platform ('single console')
1
License
1
Sub Categories
Keywords
security
6
dfir
4
awesome-list
3
cybersecurity
3
sigma
2
powershell
2
forensics
2
incident-response
2
infosec
2
windows
2
awesome
2
threat-hunting
2
privacy
2
yara-rules
2
yara
2
signature
2
scanner
2
mitre-attack
2
ioc
2
hash
2
script
1
shell
1
solaris
1
terminal
1
openbsd
1
triage
1
catalog
1
contributions-welcome
1
contributors-welcome
1
cybersecurity-playbook
1
incident-management
1
incidents
1
mitre
1
playbook
1
automation
1
cyber
1
debloat
1
debotnet
1
harden
1
hardening
1
hardware-requirements
1
microsoft
1
mitigations
1
privacy-script
1
stig-compliant
1
stigs
1
telemetry
1
windows-10
1
windows-defender
1
windows-desktop
1