Security Operations

Unfetter is a reference implementation framework that collects events from client machines and performs CAR analytics using an ELK stack with Apache Spark to detect potential adversary activity.

FIR is a Python-based cybersecurity incident management platform designed for CSIRTs, CERTs, and SOCs to create, track, and report security incidents.

Shuffle Automation is an accessible automation platform that provides workflow automation capabilities for security operations with both self-hosted and cloud deployment options.

Free cyber threat intelligence feeds for proactive threat detection

IRIS-SOAR is a Python-based modular SOAR platform that automates security incident response workflows and integrates with DFIR-IRIS for enhanced digital forensics operations.

An open source cloud-native security data lake platform for AWS that normalizes security logs into structured data with Detection-as-Code capabilities and vendor-neutral storage using open standards.

HpfeedsHoneyGraph is a visualization application that creates graphical representations of hpfeeds logs to aid cybersecurity analysis of honeypot data.

Open Source Threat Intelligence Gathering and Processing Framework

Weave Scope is a real-time visualization and monitoring tool that automatically maps Docker container infrastructures and microservices, providing interactive topology views and direct container management capabilities.

A community repository of workflow templates for the Ayehu NG platform that enables automated IT and business process execution.

A Python-based modular incident response tool for AWS environments that enables automated security actions across EC2, IAM, VPC, and other AWS resources.

RedELK is a SIEM tool designed for red teams to monitor and receive alerts about blue team detection activities during penetration testing engagements.

A community-driven repository and development framework for creating custom automation activities within the Ayehu NG IT orchestration platform.

A multi-cloud asset enumeration tool that helps blue teams centralize and inventory assets across multiple cloud providers with minimal configuration.

A repository of public applications for the Shuffle security orchestration platform that enables automated security workflows and integrations.

A repository of sample security playbooks with ARM templates for Microsoft Sentinel that enable automated security orchestration and response capabilities.

Open-source observable analysis engine and companion tool for TheHive platform

PlumHound is a reporting engine that converts BloodHoundAD's Neo4J queries into operational security reports for analyzing Active Directory vulnerabilities and attack paths.

An Outlook add-in that enables one-click reporting of suspicious emails to security teams with integrated statistics tracking and SMTP header collection.

A testing tool that generates suspect actions to validate and test Falco runtime security monitoring rulesets.

Catalyst is a SOAR platform that automates alert handling and incident response procedures through ticket management, templates, and playbooks.

A collection of detections for Panther SIEM with detailed setup instructions.

JIMI is a flow-based orchestration automation platform that combines low-code and no-code capabilities for multi-team collaboration across IT, security, and development operations.

COPS is a YAML-based schema standard for creating collaborative DFIR playbooks that provide structured guidance for incident response processes.