Security Operations Centre (SOC) analysts leverage various open-source tools to monitor threats, investigate incidents, and automate responses. Below is a structured list of commonly used open-source tools, categorised by their primary function. Each tool’s core capabilities, typical SOC use cases, notable strengths, and integration support are described in formal British English.
Security Information and Event Management (SIEM)
Elastic Stack (ELK / OpenSearch)
Log aggregation and analytics.
The Elastic Stack (Elasticsearch, Logstash, Kibana) is a popular foundation for open-source SIEM solutions. It collects and indexes logs from multiple sources, allowing analysts to search and visualise events in real time. While not a SIEM by itself (lacks built-in correlation/alerting out-of-the-box), its flexibility and scalability make it a core component in many SOCs. Typical use cases include centralised log management, dashboarding of security events, and ad-hoc threat hunting via Kibana queries. Strengths of ELK include a large community and plugin ecosystem, and it often integrates with other tools (e.g. Beats agents for data shipping and alerting add-ons). OpenSearch, a fork of Elasticsearch, offers a fully open-source alternative with similar capabilities and is likewise used in SOC deployments.
Wazuh
Unified SIEM and endpoint security platform.
Wazuh is a free open-source security platform that unifies SIEM and extended detection & response (XDR) for endpoints and cloud workloads. It builds on a host-based agent (forked from OSSEC) to collect logs, monitor file integrity, detect malware, and send events to a central SIEM server. In day-to-day SOC operations, Wazuh provides monitoring, threat alerting, and automated responses across diverse environments. Its notable strengths include a powerful rules engine for correlating events, compliance auditing features, and a broad community adoption (recognised as a Best SIEM Solution 2023 by SC Media). Wazuh is highly integrative – it uses the Elastic Stack for storage/visualisation and supports integration with external tools and threat intelligence feeds. (For example, it can forward alerts to ticketing systems or ingest third-party threat intel, helping analysts respond faster.)
OSSIM (AlienVault OSSIM)
All-in-one open-source SIEM.
OSSIM is an open-source security Information Management platform that combines multiple open tools for event collection, normalisation, and correlation. It includes asset discovery, vulnerability scanning, host intrusion detection (OSSEC), network IDS (Snort), and event correlation engines in one package. SOC analysts use OSSIM in small to medium environments to aggregate security data and generate alerts on correlated threats (e.g. an IDS alert from Snort combined with a suspicious host log triggers an incident alarm). A strength of OSSIM is this integrated approach – providing “SIEM event correlation, intrusion detection, and behavioural monitoring” in a unified console. However, it can suffer performance issues at scale. OSSIM supports output to AlienVault’s Open Threat Exchange and can integrate with other tools for extended capabilities. It has been a long-standing open SIEM choice, indicating a mature community and ample documentation for SOC teams.
Graylog
Centralised log management and analysis
Graylog is an open-source log management solution often used as a lightweight SIEM for SOC needs. It enables teams to collect, store, and analyse log data from various systems to answer security and IT questions. In practice, SOC analysts use Graylog’s web interface to search through logs (e.g. firewall events, Windows logs) and set up alerts for notable events. Its strengths include a user-friendly interface, support for complex queries with quick filtering, and the ability to build custom dashboards for monitoring key security metrics. Graylog also has a plugin architecture and content packs contributed by the community, making it extensible. Notably, it can integrate with other SOC tools. For example, Graylog can send alerts to TheHive (an open IR platform) to create incidents, and it supports ingesting threat intelligence or enrichment data via pipelines. Its open community edition is free, which makes Graylog attractive to organisations with limited budgets while still providing robust log analysis capabilities.
Security Onion
SOC-in-a-box (intrusion detection and monitoring distro)
Security Onion is an open-source Linux distribution for enterprise security monitoring, intrusion detection, and log management. It bundles several best-of-breed tools: for instance, it includes Suricata for network IDS, Zeek for network traffic analysis, OSSEC/Wazuh for host monitoring, and Elasticsearch/Kibana for log search and visualisation. In daily SOC use, Security Onion serves as an all-in-one platform where analysts can deploy sensors and immediately start receiving IDS alerts, network session logs, and system logs in a unified interface. It provides a powerful correlation engine and user-friendly dashboards to detect and respond to real-time incidents. Security professionals maintain the distribution and have a strong community; it’s free and open, lowering the barrier to entry for organisations building a SOC. Integration is a key strength – Security Onion’s components integrate out-of-the-box (e.g. Suricata alerts are indexed into Elastic and linked with PCAP data for packet drill-down). It can also integrate with external systems (for example, sending alerts to an external SIEM or SOAR if needed). Overall, Security Onion is valued for providing a comprehensive open-source SOC framework that analysts can use for threat hunting and incident detection without assembling each tool manually.
Intrusion Detection and Prevention Systems (IDS/IPS)
Snort
Network intrusion detection/prevention system.
Snort is an open-source network IDS/IPS that monitors real-time network traffic to identify potentially malicious activities. It uses a rule-driven engine combining signature, protocol, and anomaly-based inspection to detect threats and block attacks in IPS mode. SOC analysts deploy Snort sensors to sniff network segments and generate alerts when suspicious patterns (e.g. malware signatures or port scans) are observed. Typical use cases include detecting known exploits, malware command-and-control traffic, or policy violations on the network. Snort’s notable strength is its long-standing community and maturity – it is “the world’s most widely deployed IDS/IPS technology” with millions of downloads and thousands of users. This means there is a rich repository of community-contributed rule sets (such as Emerging Threats) and continuous updates for new threats. Snort alerts are often integrated with SIEM platforms or SOC dashboards so that analysts can correlate them with other events. Its widespread adoption also ensures compatibility with many tools (for example, Security Onion includes Snort/Suricata, and Snort can feed into tools like Sguil or Splunk for alert management). Overall, Snort provides dependable network threat detection and is a de facto standard in open-source IPS.
Suricata
Next-generation multi-threaded IDS/IPS & network monitoring.
Suricata is a free, open-source network threat detection engine capable of real-time intrusion detection (IDS), in-line intrusion prevention, and network security monitoring. Developed by the Open Information Security Foundation, Suricata can use the same rule syntax as Snort but offers modern advantages like multi-threading (it can leverage multiple CPU cores for higher throughput). In SOC operations, Suricata detect network-borne threats – from known malware signatures to anomalous traffic patterns – and can alert or drop malicious traffic when configured as an IPS. It also produces rich protocol logs (HTTP requests, DNS queries, TLS handshakes, etc.), serving as a network sensor for broader security monitoring. Suricata’s strengths include its performance and versatility: it’s considered “mature, fast, and robust” and can handle high-bandwidth environments through multi-threading and GPU acceleration. It supports deep packet inspection with a robust ruleset and has Lua scripting for complex detections. Suricata integrates well in SOC ecosystems – it outputs structured alerts (e.g. in JSON) that can be fed to SIEMS, and it’s commonly part of platforms like Security Onion. Moreover, its developers and community regularly update official rule sets and threat intelligence integrations. With Suricata, analysts benefit from signature-based and anomaly-based detections, improving their ability to catch advanced attacks in real time.
Zeek (Bro)
Network security monitoring and analysis framework.
Zeek (formerly known as Bro) is an open-source passive network traffic analyser and security monitor. Unlike traditional IDS, Zeek doesn’t primarily rely on signature rules; instead, it logs comprehensive details about network sessions and allows custom scripting to detect suspicious behaviours. In a SOC context, Zeek is deployed on network taps or spans to record rich metadata – for example, it will log all HTTP requests (URLS, headers), DNS queries and responses, SSL certificates, file hashes transferred, and more. Analysts use these Zeek logs for incident investigations (it provides a high-fidelity activity record) and threat hunting (looking for anomalies like beaconing, new domains, etc.). Zeek can also be scripted to generate alerts for patterns (e.g. detecting a probable port scan or a malware infection by unusual protocol use). Key strengths of Zeek include its extensibility and depth of analysis. It is a network analysis framework with a Turing-complete scripting language, allowing SOC teams to write custom detection logic tailored to their environment. It has a strong community (initially developed at a national lab and now maintained by an international community) and is considered a leading platform for network security monitoring. Zeek often operates alongside IDS tools – for example, running parallel to Suricata – to provide context and anomaly detection that signature-based systems might miss. Integration-wise, Zeek output logs are easily ingested into SIEMS or big data platforms (often in JSON). Many SOCs integrate Zeek with Elasticsearch or Splunk for querying, and it can feed threat intelligence frameworks by exporting observed indicators. Overall, Zeek empowers analysts with deep insight into network behaviour and complements other IDS/IPS by catching “unknown” or bespoke threats via behavioural analysis.
Endpoint Detection and Response (EDR) and Host Security
OSSEC
Host intrusion detection and endpoint security.
OSSEC is an open-source host-based intrusion detection system (HIDS) that performs log analysis, file integrity monitoring, Windows registry monitoring, rootkit detection, and real-time alerting on endpoints. In modern form, OSSEC is often deployed via the Wazuh platform (Wazuh forked OSSEC and extended it), so the agent is commonly referred to as the Wazuh agent. SOC analysts use OSSEC/Wazuh agents on servers and workstations to detect unauthorised changes or suspicious activities – for example, modifications to critical system files, new user accounts, or suspicious processes. The agent analyses local logs and system events, then sends alerts to a central server for correlation. Core capabilities include log-based intrusion detection, file integrity checks (triggering alerts if key files or registries are altered), and active response (it can execute scripts to counteract threats, such as blocking an IP on the host’s firewall when an intrusion is detected). Notable strengths are its lightweight footprint and broad OS compatibility (Windows, Linux, macos, *BSD, Solaris, etc.), as well as its compliance modules and extensive default rule sets. OSSEC/Wazuh has a large community and is used by many organisations for endpoint monitoring due to its open-source nature and proven reliability. It also supports integration with other platforms – for instance, OSSEC alerts can be forwarded to SIEM tools or correlated within Wazuh’s centralised SIEM dashboard. In practice, OSSEC (via Wazuh) acts as an endpoint sensor complementing network controls: it gives the SOC visibility into host-level indicators (like file changes or malware found) that can be tied into broader incident detection and response.
Osquery
Endpoint visibility and query engine.
Osquery is an open-source tool (originally from Facebook) that turns the operating system into a searchable database, letting analysts query system state using SQL-like syntax. Essentially, it exposes tables for things like running processes, loaded kernel modules, open network connections, installed software, etc., and allows ad-hoc or scheduled queries across endpoints. In a SOC, Osquery is used for both threat hunting and incident response on endpoints: analysts can quickly gather information such as “which machines have a process named X running?” or “list all autorun registry entries on these hosts” by writing simple SQL queries. Core capabilities include live querying via an interactive console and an osqueryd daemon for continuous monitoring and logging of query results. Notable strengths are its flexibility and universality – Osquery is highly extensible, cross-platform (Windows, Linux, macOS). It provides detailed visibility without needing multiple disparate tools (one can query users, processes, network artefacts, etc., all in one place). SOC teams often integrate Osquery with management frameworks like Fleet to coordinate queries across thousands of endpoints and aggregate results centrally. Osquery’s scheduled query feature allows it to act in an EDR-like capacity. For example, running a query every hour to detect new autoruns or known malicious hashes and then sending alerts to a SIEM. Its community is active, and many open-source queries (packs) and integrations exist (including ties into Splunk, Elastic, and SIEM dashboards). In summary, Osquery’s core use in day-to-day operations is to empower analysts to ask arbitrary questions of endpoint data at scale, greatly aiding investigations and proactive threat hunting with an open-source approach.
Velociraptor
Endpoint forensics and hunting platform.
Velociraptor is an open-source digital forensics and incident response (DFIR) tool that gives investigators deep visibility into endpoints in a scalable way. It uses a powerful query language (VQL) to collect forensic artefacts (event logs, registry keys, memory dumps, etc.) from endpoints on demand or a schedule. In a SOC, Velociraptor serves as an endpoint detection and response aid by allowing rapid triage of many machines during threat hunts or incidents. For example, if an IOC (indicator of compromise) like a file hash or mutex is discovered, analysts can use Velociraptor to sweep across all endpoints for that IOC in minutes. Typical use cases include: enterprise-wide threat hunting (searching for traces of an attacker’s tools or techniques), remote digital forensic collection (gathering files, memory, or usage artefacts from a suspect host), and even containment actions (it can kill processes or isolate hosts if scripted to do so). Velociraptor’s notable strengths are its speed, scalability, and community-driven library. It is designed to handle large deployments (50,000+ endpoints) efficiently, making it suitable for enterprise SOCs. It boasts many features akin to commercial EDR solutions, such as an interactive hunt interface, pre-built “hunt packs” for common attacks, live endpoint monitoring, and an active community contributing detection content. Velociraptor integrates well with SOC workflows: it can be used alongside SIEM alerts (e.g. when a SIEM alert flags a host, analysts use Velociraptor to pull additional evidence from that host). It exports data to analysis tools like timelines or Splunk. Rapid7’s backing of the project also provides professional support options. In sum, Velociraptor enables comprehensive endpoint querying and automated investigation across the fleet, empowering SOC teams to respond quickly and with forensic precision to emerging threats.
OpenEDR
Open-source endpoint detection & response platform.
OpenEDR (by Xcitium, formerly Comodo) is an open-source EDR solution offering real-time endpoint monitoring, threat detection, and automated response capabilities. It continuously collects telemetry on endpoint behaviours (process creation, network connections, file changes, etc.) and uses analytic detection to identify malicious activity, mapping findings to the MITRE ATT&CK framework. In practice, an SOC can deploy OpenEDR agents to endpoints to get immediate alerts on suspicious behaviour (for example, a user launching a known ransomware executable could trigger an alert and automated containment). Its core features include real-time analytics to flag threats, a computerised response engine that can instantly isolate or remediate compromised machines, and detailed incident analysis logging. A notable strength of OpenEDR is its transparency and control at zero cost – it markets enterprise-grade security features (like anti-malware, firewall, and script blocking) in an open platform. This means organisations can inspect and customise how the EDR works internally. Community adoption is growing, given its relatively newer status; however, it’s backed by a security vendor and provides integration capabilities with other tools. For instance, OpenEDR supports seamless integrations with existing SIEM or SOAR platforms to unify into a broader security ecosystem. Analysts benefit by having EDR alerts feed into their central dashboards and orchestrating response workflows that include OpenEDR actions. In summary, OpenEDR adds an open-source option in the traditionally proprietary EDR space, allowing SOC teams (especially those with limited budgets) to deploy advanced endpoint threat detection and automated defence across their organisation.
Threat Intelligence Platforms
MISP (Malware Information Sharing Platform)
Threat intelligence sharing and correlation.
MISP is an open-source platform for collecting, storing, and sharing cybersecurity threat indicators and intelligence. It is designed by and for incident analysts and threat intelligence teams to support day-to-day operations by efficiently sharing structured information about attacks (malware samples, threat actor tactics, Indicators of Compromise, etc.). In a SOC environment, MISP serves as the central repository of threat intel: analysts use it to import threat feeds, catalog IOCs observed in incidents, and correlate new events with known indicators. For example, if a SOC analyst finds a suspicious IP or hash during an investigation, they can query MISP to see if it’s associated with known campaigns or if peers have seen it. MISP’s core capabilities include automated correlation (it links events that share attributes to highlight trends), support for open standards (STIX, TAXII, etc.) to facilitate intel exchange, and a flexible tagging system to classify threats. A significant strength of MISP is its strong community adoption: it is widely used by CERTs, CSIRTs, and organisations globally to share threat data, forming trust groups that collaboratively defend against threats. This community aspect means a SOC can receive timely intel from similar organisations (e.g. industries or regions) via MISP. Integration is well-supported – MISP can export indicators in formats ready for IDS, SIEM, or endpoint controls (automated exports to Suricata, Bro/Zeek, or Splunk are common). It also integrates with workflow tools like TheHive for automated incident enrichment. In summary, MISP significantly enhances a SOC’s threat intelligence capability by enabling “sharing, storing and correlating indicators of compromise and threat data” openly and collaboratively, helping analysts detect attacks faster using shared knowledge.
OpenCTI
Open Cyber Threat Intelligence platform.
OpenCTI is an open-source platform for managing and analysing cyber threat intelligence knowledge in a structured way. Developed with support from the French national cybersecurity agency, OpenCTI is a central knowledge base where organisations can store information on threat actors, campaigns, TTPs (tactics, techniques, procedures), and observables. In a SOC, OpenCTI is used to contextualise and track threats: analysts can record details about incidents or adversaries (e.g. attribution data, related vulnerabilities, intrusion sets) and explore relationships between them via graphs. For instance, an analyst investigating a phishing attack might use OpenCTI to link the indicators (domains, hashes) to known threat actor profiles or previous incidents. Core capabilities include the ability to store, organise, share, and correlate threat intel in an interconnected manner – it treats intel as entities (attack techniques, malware, identities, etc.) that can be related, visualised, and queried. One of OpenCTI’s strengths is its support for open standards and integration: it uses a graph database and can import/export in STIX 2.0 format, allowing it to work with other intel feeds and tools. It also provides connectors to integrate with external sources (for automated data ingestion from feeds like MISP, VirusTotal, MITRE ATT&CK, etc.) and ticketing or SIEM systems. The platform offers real-time collaboration features and an API for customization. OpenCTI is relatively newer than MISP, but it addresses not just indicators but the higher-level intelligence (who is attacking, why, how) – this helps SOC teams with strategic decisions and threat hunting. Community adoption is growing, particularly among organisations that want an open-source Threat Intelligence Platform (TIP) with rich relationships and visualisations. Typically, OpenCTI might be used with MISP (for IOC sharing) – with MISP feeding raw indicators into OpenCTI, and OpenCTI handling the contextual threat knowledge base. This combination gives analysts both the micro (IOCs) and macro (threat actor context) views of threat intelligence.
Yeti
Threat intelligence collation and research tool.
Yeti is another open-source threat intel platform (less widespread than MISP/OpenCTI, but used in some SOCs) focused on analysing and sharing observables. Its goal is to let analysts record observables (domains, IPs, hashes, etc.), enrich them from external sources, and derive relationships to threat actors or malware. In SOC operations, Yeti can be used as a lightweight system to pivot on indicators quickly: e.g. an analyst can input a suspicious domain, have Yeti automatically pull DNS records, WHOIS, passive DNS, etc., and determine if it matches known malware campaigns. Yeti’s strengths lie in its support for automation and scripting; it provides a REST API and can integrate with analysers to enrich data. It also has a concept of knowledge base where familiar entities (like threat actors or TTPs) can be linked to observables. While not as feature-rich as MISP or OpenCTI, Yeti is valued for quick analyses and as an internal team TI repository. It supports integration by allowing data export in formats like STIX and has connectors to feeds (so it can act as a mini-TIP feeding your SIEM or SOAR). The community around Yeti is smaller, but it’s an active, open project. Notably, some SOCs use Yeti as an ad-hoc research tool. When investigating an alert, an analyst might use Yeti to gather all intel on related IOCs and then share findings from Yeti in reports or tickets. In essence, Yeti fills the niche of helping analysts “discover, organise, and share knowledge on threats”, complementing larger platforms (its design philosophy as described by its authors) and improving an organisation’s threat intelligence maturity.
Log Management and Analysis
Graylog
Log aggregation and search platform.
(Also listed under SIEM above) Graylog is widely used for centralised log management. It provides a convenient UI and query language for analysts to sift through log data from various systems in one place. When investigating an alert, a SOC analyst might use Graylog to search for specific events (e.g., all login failures for a user, or all firewall denies to a specific port). Graylog’s ability to parse and normalise logs from many sources (servers, network devices, apps) means it often acts as the “single source of truth” for event data in the SOC. Its strengths include ease of installation and use, real-time search with auto-complete, and the ability to build custom dashboards for monitoring trends. Graylog supports role-based access and can be extended with content packs for specific use cases (like Windows Security logging or AWS monitoring). Integration is a notable aspect: Graylog can output alerts via email or HTTP, and it’s not uncommon to integrate it with incident response platforms. As mentioned, one standard integration is with TheHive (SOAR), where Graylog alerts automatically generate cases in TheHive for analysts to investigate. Additionally, Graylog can ingest threat intelligence (via lookups or pipelines) to tag logs with context (for example, marking if an IP in a log entry is on a blacklist). In summary, Graylog in a SOC provides the logging backbone – fast and centralised log analysis – crucial for detecting and analysing security incidents.
Elasticsearch (and Beats/Logstash)
Scalable log storage and search.
Elasticsearch is the search engine at the heart of ELK/OpenSearch stacks, often used for storing huge volumes of log and event data. In a SOC, Elasticsearch (accessed via Kibana or OpenSearch Dashboards) is used to query logs and metrics across extensive periods and datasets. Its schema-free JSON indexing allows for versatile queries, powering everything from simple keyword searches to complex aggregations for anomaly detection. Beats (like Filebeat, Winlogbeat) and Logstash are data collectors that ship logs from endpoints and network devices into Elasticsearch. Together, these components form an open-source log pipeline and storage solution. Analysts benefit by being able to run quick searches even on terabytes of data – e.g. “find all occurrences of this IOC in our logs for the last 90 days” – which is essential for incident scoping and threat hunting. The ELK stack’s strength is in its scalability and speed; it’s built to handle enterprise log rates. While ELK is not a complete SIEM, many open SIEMs (Wazuh, OSSIM, Security Onion) rely on it underneath. Integration-wise, Elasticsearch can integrate with virtually any tool that speaks its REST/SQL API. SOC automation tools might query Elasticsearch directly for data (for reports or playbooks), and SIEM correlation engines often store results in Elasticsearch. Kibana also allows for embedding threat intel feeds (via watchlists) or linking them to other systems (like drilling down from a log entry to an external virus scan result). Overall, the Elastic Stack provides the foundational log management that many other SOC tools build upon, enabling high-performance search and analytics on security data.
Fluentd / Fluent Bit
Log aggregation and forwarding.
Fluentd and its lighter version, Fluent Bit, are open-source log collectors often used in cloud-native environments to route logs from various sources to storage or analysis systems. In SOC operations, these tools aren’t directly analyst-facing but play a vital role in ensuring security logs from applications, containers, and servers arrive in the SIEM or logging platform. For example, Fluentd might collect Kubernetes audit logs or web server logs, tag them (adding metadata like environment or application name), and forward them to Elasticsearch or Graylog, where analysts can review them. The strength of Fluentd is its flexibility with data sources and outputs – it supports dozens of plugins, which is helpful in modern infrastructures where logs come in different formats (JSON, syslog, etc.). Using Fluentd/Fluent Bit, a SOC can unify logging across microservices and traditional systems, so no security-relevant event is missed. Integration is essentially the purpose of these tools: they sit between log producers and consumers. They integrate with message queues, cloud services, and databases, enabling complex routing (e.g., send a copy of logs to an S3 archive, another to Splunk for analysis). While analysts might not interact with Fluentd directly, they benefit from its reliable log ingestion. Notably, Fluentd ensures that the logs seen in SIEM dashboards are comprehensive and enriched, which improves detection (for instance, adding Kubernetes pod labels to logs can help identify which application was targeted in an attack). In summary, Fluentd/Fluent Bit acts as the plumbing for log management in open-source SOC setups, ensuring that data from everywhere flows into the hands of the analysts.
Syslog-ng / Rsyslog
System log collectors and forwarders.
These are venerable open-source logging daemons on Linux/Unix systems that aggregate and forward system logs. In a SOC context, they are configured on servers, network devices, and appliances to send their event logs (auth logs, error logs, etc.) to a central log server or SIEM. For example, an organisation might use Rsyslog on all Linux servers to stream real-time logs to a Security Onion box for analysis. Their core capability is reliable log transport and basic filtering. Strengths include performance (able to handle high log volumes) and widespread support (almost all devices speak syslog protocol, which Rsyslog/Syslog-ng can receive). They can buffer logs during network outages, sign or encrypt logs for integrity, and do simple parsing. These tools integrate by design; they are often the first hop in a logging pipeline (e.g., Rsyslog collects local logs, then forwards to Logstash or Fluentd for further processing). For SOC analysts, a well-tuned syslog infrastructure means that whenever they query logs in their SIEM, they trust that all devices are feeding in via syslog. While not “exciting,” these open-source loggers are critical: misconfigurations here could mean missing security events. Thus, they are part of the SOC toolkit to ensure complete log visibility, feeding data into the more user-facing analysis tools described above.
Network Traffic Analysis and Forensics
Wireshark
Packet analyser for deep network inspection.
Wireshark is the world’s most popular open-source packet analysis tool. It allows SOC analysts to capture network traffic (or load existing packet capture files) and interactively inspect protocols down to the bit level. In daily operations, Wireshark is used for incident investigation when more details are needed than an IDS alert provides. For example, if Suricata flags an odd HTTP session, an analyst might use Wireshark on the packet capture to see the actual payload or transferred file. Wireshark supports hundreds of protocols with rich dissectors, decoding raw bytes into human-readable fields. Strengths include its intuitive GUI, powerful filtering language, features like following the TCP stream (to reassemble conversations), and decryption support for protocols like TLS (with keys provided). It’s essentially the go-to tool for network forensics, troubleshooting, and malware analysis on the wire. While primarily a manual tool, it complements automated monitoring by validating and drilling into events. Wireshark typically integrates into workflows rather than with software. For example, an SOC might have an Arkime/Moloch server to capture all traffic, and an analyst exports a PCAP slice from it to examine in Wireshark. Another integration example is connecting Wireshark with Suricata: Suricata can emit eve.json logs with packet payloads base64-encoded, which analysts might convert to pcap and open in Wireshark for clarity. In summary, Wireshark provides unparalleled network visibility at the micro level, allowing SOC analysts to verify incidents (was data exfiltrated? what was the content of that suspicious DNS query?) and extract indicators. Its strong community and continuous updates support new protocols and networking trends.
Arkime (formerly Moloch)
Full packet capture and indexing system
Wireshark is an open-source, large-scale packet capture and database system that stores network traffic and enables fast search and retrieval. It augments security infrastructure by keeping raw packet data for analysis while providing an Elasticsearch-backed index for querying session metadata. SOC teams deploy Arkime sensors to continuously record all network packets (often on critical segments or enterprise egress points) and retain them (in PCAP format) for some time. When an incident occurs, an analyst can use Arkime’s web interface to search for sessions by IP, protocol, hostname, etc., and then retrieve the packets for those sessions. This is invaluable for incident response – it provides network visibility to confirm and scope incidents (“what did the attacker exfiltrate? Which machines communicated with this C2 server?”). Core features of Arkime include high-speed packet indexing, the ability to cluster across multiple capture nodes for scalability, and session reconstruction (it can show a transcript of a session similar to Zeek). One of Arkime’s strengths is its integration with Elasticsearch, which gives it powerful search and analytics capabilities on packet metadata while allowing packet drill-down. It’s open source, so it’s cost-effective for organisations needing long-term traffic recording. Arkime integrates well with other tools: it can enrich sessions with threat intelligence (like tagging sessions involving blacklisted IPs via its WISE plugin), and analysts can pivot from SIEM alerts to Arkime – e.g., an alert provides an IP and time, and Arkime can be searched to pull the raw traffic around that event. Many SOCs also use Arkime alongside Suricata/Zeek; Arkime stores the packets while Suricata/Zeek store alerts/logs, giving a complete network forensic solution. In summary, Arkime’s notable strength is providing full packet capture at scale with an accessible interface, greatly enhancing a SOC’s ability to investigate and respond to network-based threats with concrete evidence.
Ntopng
Network traffic monitoring and flow analysis.
Ntopng is an open-source network traffic probe that provides a web-based GUI for monitoring real-time network usage. It analyses network flows (via libpcap or receiving NetFlow/IPFIX data from routers) and gives insights into top talkers, protocols, geolocation of IPs, etc. In a SOC, Ntopng can be used for network visibility and anomaly detection on the fly – analysts might use it to spot unusual spikes in traffic, identify unexpected external connections, or monitor bandwidth usage by host. It classifies traffic by application (DPI) and can alert on certain conditions (like a host suddenly using a new protocol or large data transfers). While not a full IDS, Ntopng’s strength is in intuitive visualisation of network metrics and patterns, which can tip off analysts to issues (e.g. a workstation sending data at 3 AM to an IP in a country where the company doesn’t do business could be spotted via the dashboard). Ntopng also serves as a NetFlow collector, making it useful for summarised traffic analysis when full PCAP isn’t feasible. Integration: Ntopng can export alerts to syslog or other systems, and it often works with nProbe (for NetFlow) and other Ntop tools. Some SOCs feed Ntopng data into ELK for long-term analysis. It can also leverage lists for threat intel (flagging connections to known bad IPs). Community-wise, Ntopng is actively maintained and used in many networking and security monitoring setups. It complements IDS/IPS by focusing on network flow data and usage statistics rather than packet content. In summary, Ntopng helps SOC analysts monitor the network’s pulse in real time, easily spotting anomalies and drilling down to flow details when something looks off.
NetworkMiner
A Passive network forensic analysis tool.
NetworkMiner (community edition) is an open-source tool (Windows-based) for analysing packet captures or sniffing traffic to extract artefacts. It’s often used as a complement to Wireshark during investigations. NetworkMiner automatically parses a PCAP and extracts files, images, certificates, credentials, and other data from the network streams, presenting them in an organised way. For a SOC analyst, this is useful when dealing with malware traffic or intrusion evidence. Instead of manually reconstructing files from packets, NetworkMiner will pull out any files transferred (via HTTP, SMB, FTP, etc.), which can then be analysed with an antivirus or reverse-engineered. It also lists host details observed (IP, hostnames, open ports), which can enrich incident reports. The tool operates passively (doesn’t send any traffic of its own), making it safe to use on live traffic if needed. Strengths include its ease of use (opening a pcap, producing results) and its focus on reconstructing content and credential sniffing from captures. An analyst might run NetworkMiner on traffic from a suspected infected machine to see if any password was sent in cleartext or suspicious files were downloaded. Integration is minimal – a standalone tool – but it’s often part of the analyst’s toolkit on their workstation. It would be a workflow if integrated with anything: e.g., Arkime for capture -> export to PCAP -> NetworkMiner to extract content -> feed extracted malware to Cuckoo sandbox. NetworkMiner’s community edition is free (there is a commercial version with more features). It’s widely referenced in network forensics training and is a handy open-source utility to expedite the “find evil in PCAP” process, thereby accelerating SOC investigations of network incidents.
Forensic Analysis (Host and Memory Forensics, Malware Analysis)
Autopsy (Sleuth Kit)
Digital forensics GUI for disk analysis.
Autopsy is an open-source digital forensics platform and graphical interface to The Sleuth Kit® suite of command-line tools. SOC and forensic analysts use it to investigate disk images (from computers, servers, and removable media) and recover evidence of intrusions or malicious activity. In day-to-day SOC operations, Autopsy might be used during incident response for deep dive analysis on an infected host – for example, analysing a forensic image of a compromised machine to find traces of malware installation, deleted files, or user actions. Core capabilities of Autopsy (and Sleuth Kit) include file system analysis (for NTFS, FAT, EXT, etc.), file recovery, timeline analysis of file events, registry analysis, and extraction of artefacts like browser history or email archives. It also has modules for keyword search, hash set matching (to identify known harmful or known good files), and carving out hidden content. Notable strengths of Autopsy are its ease of use via a GUI and its extensibility (many plugins exist to parse various artefact types, such as web artefacts or memory dumps). It’s often touted as the “premier end-to-end open source forensic platform”, combining many features expected from commercial suites. Community adoption is strong, particularly among law enforcement and smaller enterprises – it’s used to train new analysts and in real investigations. Integration: Autopsy is usually used standalone on a forensic workstation. However, it can import data from other tools (e.g. load a memory image processed by Volatility) and export reports that can be shared in incident management systems. Because it’s open source, some SOCs integrate Autopsy into their workflow by using its command-line components (Sleuth Kit) in scripts – for instance, automatically running file system integrity checks on critical servers and comparing results over time. Autopsy provides SOC teams with a powerful means to “investigate what happened on a computer” using disk evidence, which is crucial for root cause analysis and understanding complex breaches.
Volatility
Memory forensics framework.
Volatility is an open-source memory forensics framework for extracting digital artefacts from RAM dumps of computers. It is a command-line tool (written in Python) that supports analysis of memory images from Windows, Linux, and macOS systems. SOC and IR analysts turn to Volatility when investigating advanced threats like rootkits and fileless malware or when analysing the state of a system at the time of compromise. For example, after a detected intrusion, an analyst might take a memory snapshot of the affeced server and use Volatility to list running processes, open network connections, load kernel modules, and even dump malicious code running only in memory. Core capabilities of Volatility include processes listing, registry hives extraction from memory, DLL listing for processes, scanning for hidden processes or hooks, extracting command history, and more – essentially, reconstructing the “volatile” system state that is not captured in disk forensics. Volatility’s strength is in its comprehensive plugin library, which covers a wide array of forensic tasks, and its community support: it’s widely regarded as “the world’s most widely used memory forensics tool – relied upon by law enforcement, military, academia, and investigators around the world.”. This means continuous improvements and plugins for new OS versions and structures (and a newer Volatility 3 framework is under development). It’s indispensable for discovering malware injected into memory without a file, encryption keys, or evidence of lateral movement that only resided in memory. Integration is typically via workflow: memory dumps can be obtained by various means (built-in OS tools, hypervisors, or response tools like Velociraptor), and then Volatility is run on the analyst’s machine. Some SOAR playbooks incorporate Volatility to automate specific analyses on memory dumps and feed the results (like suspicious process names) back into cases. Also, TheHive/Cortex has analysers for Volatility, meaning an analyst can trigger some Volatility plugins on a memory image from within an IR platform. In summary, Volatility is the go-to open-source tool for memory analysis, providing deep insight into running malware and system state that is otherwise lost, thereby greatly enhancing an SOC’s incident response and malware analysis capabilities.
Cuckoo Sandbox
Automated malware analysis system.
Cuckoo Sandbox is a leading open-source automated malware analysis platform that allows analysts to detonate suspicious files or URLs in an isolated environment and observe their behaviour. SOC teams use Cuckoo to safely execute potential malware (such as email attachments, Office documents with macros, or executables found on compromised systems) and automatically generate a detailed report of what the file does. This includes changes to the filesystem or registry, processes created, network traffic generated, screenshots of the malware’s GUI (if any), and extracted memory strings. The sandbox approach helps determine if a file is malicious and gathers Indicators of Compromise, without risking a production system. Key capabilities of Cuckoo include support for multiple guest OS environments (Windows, Linux, Android), the ability to run custom analysis scripts, and a mechanism to dump and analyse memory after execution. It outputs practical artifacts like API call traces and network PCAPs, and can even use Volatility for additional memory analysis post-run. Notable strengths: it is highly modular and extremely customisable – organisations can tailor it to use their preferred analysis tools or feeds (for example, integrating antivirus scanners, YARA rules matching on dropped files, etc.). As an open-source project, it has a wide community and many extensions; for instance, there are community modules to integrate Cuckoo with MISP (for feeding analysis results as threat intel) or with TheHive (Cuckoo results can automatically be pulled into an incident case). SOC analysts typically interact with Cuckoo via its web GUI or API integration. The platform generates a comprehensive report that analysts review to understand what a malware sample did – this greatly helps in incident scoping (what actions did the malware attempt?) and in creating detection signatures. One challenge can be the resource needs and maintenance of the sandbox VMS, but the cost-benefit of an open tool outweighs this for many. In summary, Cuckoo provides SOCs with “an open-source automated malware analysis system” that delivers insights into suspicious files’ behaviour, enabling quicker and safer malware analysis as part of the SOC’s workflow.
Bulk Extractor & RegRipper
Artifact extraction tools.
Bulk Extractor is an open-source forensics tool that scans disk or memory images to extract low-level artifacts like email addresses, credit card numbers, URLs, etc., without parsing the file system. It’s used to quickly mine large data dumps for helpful clues (e.g. in an insider threat investigation, to find all URLs or messages). RegRipper is an open-source tool to parse Windows Registry hives and extract forensically relevant information (user account data, autostart programs, USB device history, etc.). In SOC investigations, these tools serve specialised purposes: RegRipper might be run on a registry hive from a compromised host to quickly pull out all auto-run entries (helping find persistence mechanisms), and Bulk Extractor might be run on a disk image to identify artifacts (like signs of data exfiltration or the presence of specific keywords). Their strengths are speed and specificity – they automate what would otherwise be manual, time-consuming parsing. They are commonly integrated into forensic workflows; for example, Autopsy can use Bulk Extractor as a module to extract artefacts during disk analysis automatically, and RegRipper outputs can be included in incident reports. Community adoption is moderate; they are well-known in forensics and often used in CTFs and training. By including these tools in an open-source SOC toolkit, analysts can accelerate the information gathering phase of an investigation. Integration with case management is mostly by importing their output text/HTML into reports or wikis for collaborative analysis.
Automation and Orchestration (SOAR)
TheHive
Security Incident Response Platform with SOAR capabilities.
TheHive is an open-source cybersecurity incident response platform designed to help SOC teams investigate and respond to incidents collaboratively. It provides case management, workflow automation, and integration with analytical tools, effectively functioning as a lightweight SOAR. Analysts use TheHive to track alerts and incidents: multiple related alerts can be aggregated into a case, tasks can be assigned to team members, and all investigation findings can be recorded centrally. TheHive’s core capabilities include a dynamic dashboard for oversight, live collaboration on cases, and built-in templates/playbooks for common incident types. Its notable strength is the integration of automation via its companion component Cortex. Cortex is an analysis engine that TheHive calls to execute analyzers (scripts that can query threat intel sources, scan files with antivirus, extract metadata, etc.) and return results into the case. This allows analysts to automate much of the evidence gathering – for instance, with one click TheHive can, via Cortex, check a suspicious hash against VirusTotal, scan an URL through a sandbox, and query MISP for related indicators, all results being attached to the case. TheHive also seamlessly integrates with MISP (bidirectional exchange of IOCs) for threat intelligence enrichment. Community adoption of TheHive has been significant among CERTs and organisations needing an affordable IR platform; it has an active user community. (As of TheHive 5, some features moved to a commercial model, but TheHive 4 remains open-source and widely used.) Integration: TheHive offers an API and alert feeders – it can ingest alerts from SIEMs (Elastic, Splunk, etc.) or ticket systems, meaning a SOC can automatically have, say, a QRadar offense or a Suricata alert create a Hive case for triage. Conversely, it can trigger actions in other tools (through Cortex analyzers or webhook outputs). In summary, TheHive provides a central hub for SOC incident handling, combining human collaboration with automated enrichment, thereby streamlining and orchestrating the response workflow in an open-source, community-driven way.
Shuffle
Low-code security automation platform (SOAR).
Shuffle is an open-source SOAR platform that enables security teams to create automated workflows through a user-friendly, drag-and-drop interface. It focuses on ease of use, allowing organisations to build playbooks without heavy coding – akin to a “Zapier for security.” In a SOC, Shuffle can be used to automate repetitive or time-sensitive tasks: for example, when an phishing email alert comes in, Shuffle could automatically extract indicators (sender, URLs), query threat intel sources, block the sender in email gateway, and create a ticket – all done within seconds and without human error. Shuffle’s core capability is its workflow engine and a library of 200+ prebuilt integrations (apps) that connect to various security and IT systems. These integrations cover commonly used tools (email, Slack, SIEMs, threat intel APIs, firewall APIs, etc.), so analysts can chain actions like “if X alert, do Y in firewall, do Z in ticketing”. Strengths of Shuffle include its open-source nature (high transparency and customisability), and an active community contributing playbooks and integrations. It emphasises easy automation and even “no-code” capabilities, making SOAR accessible to smaller teams. Integration is Shuffle’s forte: thanks to OpenAPI and its app model, it integrates with just about anything with an API. It also supports custom Python code within workflows for flexibility. A typical integration example is using Shuffle to connect a SIEM and an endpoint solution. E.g., on a specific SIEM alert, Shuffle can automatically isolate a host via an EDR’s API and notify the team on Teams/Slack. Community adoption is growing, especially as organisations seek cost-effective SOAR alternatives. Many use Shuffle to prototype automation, then gradually expand it. Shuffle allows SOCs to “automate various tasks within your SIEM stack or other environments” with minimal overhead. This reduces response times and frees analysts from mundane tasks to focus on higher-level analysis.
StackStorm (ST2)
Event-driven orchestration and automation platform.
StackStorm is an open-source automation engine that is not security-specific, but is often utilised in SOAR contexts for its power and extensibility. It operates on the principle of “if this, then that” for infrastructure – it can ingest triggers from various sources (monitoring tools, ticketing systems, custom scripts) and execute workflows or “runbooks” in response. In a SOC, StackStorm can serve as the backend of an automation pipeline: for example, an alert from an IDS could be a trigger that causes StackStorm to fetch related logs, block an IP on a firewall, and send a report email. It offers a rules engine, workflow definitions (using YAML or Python), and pre-built actions (over 160 integration packs including ones for Cisco, AWS, Slack, etc.). The key strength of StackStorm is its maturity in handling complex, multi-step automation with branching logic and reliability (retries, error handling) – essentially providing “automation as code”. Large enterprises like Netflix and Target have used it to auto-remediate issues, including security incidents. For a SOC that already has various scripts and wants to orchestrate them systematically, StackStorm is ideal. It integrates widely: its pack system means it can interface with many tools out-of-the-box, and new integrations can be coded. For instance, a community-maintained Security pack integrates with tools like Nmap, Snort, VirusTotal, etc., enabling security-specific playbooks. StackStorm can also work with TheHive or other platforms (some users send TheHive alerts to StackStorm to decide on automated responses, then feed results back). Community adoption among DevOps and NetOps is strong, and in SecOps it’s valued by teams with programming expertise who need more flexible automation than a pure-play SOAR GUI might offer. In summary, StackStorm provides an “automation brain” for the SOC, turning detection signals into automated actions and connecting the dots between disparate systems in an open-source, programmable way.
