Name: Sooty
Author: TheresAFewConors

Primary Use Case

SOC analysts use Sooty to automate repetitive security operations tasks such as reputation checks, URL sanitization, and email analysis, enabling faster incident response and deeper threat hunting. It streamlines the workflow by integrating multiple threat intelligence sources and enrichment techniques into a single command-line interface.

Key Features

Sanitize URLs for safe email sharing

Perform reverse DNS, DNS lookups, and Whois queries

Reputation checks via VirusTotal, BadIPs, AbuseIPDB

Identify malicious/spam/bot IP addresses using Botvrij.eu, myip.ms, Firehol

Check if IP is a TOR exit node

Decode Proofpoint URLs, UTF-8 URLs, Office SafeLink URLs, Base64 strings, and Cisco7 passwords

Analyze emails to extract URLs, IPs, emails, and header info

Check usernames and emails against HaveIBeenPwned breaches

Insights & Recommendations

API keys are required for full functionality with VirusTotal, HaveIBeenPwned, and PhishTank integrations. Users should be aware of rate limits, such as the 10 requests per hour limit on URL unshortening. The tool is designed primarily for SOC analysts and assumes familiarity with command-line operations and security workflows.

Ensure Python is installed Clone the repository from https://github.com/theresafewconors/sooty Install required dependencies (details not explicitly provided but implied Python packages) Configure API keys for VirusTotal, HaveIBeenPwned, and PhishTank as required Run the tool via the command line

Usage

sooty sanitize-url <url>

Sanitizes URLs to make them safe for sending in emails

sooty dns-lookup <ip_or_domain>

Performs reverse DNS and DNS lookups

sooty reputation-check <ip_or_hash>

Checks reputation using VirusTotal, BadIPs, and AbuseIPDB

sooty decode <encoded_string>

Decodes Proofpoint URLs, UTF-8, Office SafeLink URLs, Base64 strings, and Cisco7 passwords

sooty whois <ip_or_domain>

Performs Whois lookups

sooty hibp-check <email_or_username>

Checks if an email or username has been breached using HaveIBeenPwned

sooty unshorten-url <shortened_url>

Unshortens URLs shortened by external services (limited to 10 requests per hour)

sooty urlscan <url>

Queries URLScan.io for reputation reports

sooty phishtank-submit <url>

Submits URLs to PhishTank for phishing verification

sooty create-email-template <email_file.msg>

Creates dynamic email templates for phishing triage response

Smart Usage Notes

Integrate Sooty with SOAR platforms like Tines to automate incident response workflows.Use Sooty in SOC shift handover to quickly summarize ongoing investigations and threat intel.Leverage Sooty’s URL and email sanitization features to safely share suspicious artifacts across teams.Incorporate Sooty into threat hunting playbooks to automate enrichment and reduce analyst fatigue.Extend Sooty with custom plugins to integrate additional threat intelligence sources specific to your environment.

OpenSec Atlas

Sooty

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like