sleuthkit - The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data

•    C

The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS (see docs/ntfs.README) and FAT (see docs/fat.README) file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.

awesome-sre - A curated list of awesome Site Reliability and Production Engineering resources.

A curated list of awesome Site Reliability and Production Engineering resources.

TheHive - TheHive: a Scalable, Open Source and Free Security Incident Response Platform

•    Javascript

TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion to MISP. You can synchronize it with one or multiple MISP instances to start investigations out of MISP events. You can also export an investigation's results as a MISP event to help your peers detect and react to attacks you've dealt with. Additionally, when TheHive is used in conjunction with Cortex, security analysts and researchers can easily analyze tens if not hundred of observables. Collaboration is at the heart of TheHive. Multiple analysts can work on the same case simultaneously. For example, an analyst may deal with malware analysis while another may work on tracking C2 beaconing activity on proxy logs as soon as IOCs have been added by their coworker. Using TheHive's live stream, everyone can keep an eye on what's happening on the platform, in real time.

incident-response-docs - PagerDuty's Incident Response Documentation.

•    HTML

This is a public version of the Incident Response process used at PagerDuty. It is also used to prepare new employees for on-call responsibilities, and provides information not only on preparing for an incident, but also what to do during and after. See the about page for more information on what this documentation is and why it exists. You can view the documentation directly in this repository, or rendered as a website at https://response.pagerduty.com.

Wazuh - Host and endpoint security

•    C

Wazuh helps you to gain deeper security visibility into your infrastructure by monitoring hosts at an operating system and application level. This solution, based on lightweight multi-platform agents, provides the capabilities like Log management and analysis, File integrity monitoring, Intrusion and anomaly detection, Policy and compliance monitoring.

response - Monzo's real-time incident response and reporting tool ⚡️

•    Javascript

Dealing with incidents can be stressful. On top of dealing with the issue at hand, responders are often responsible for handling comms, both internal and external, reporting, and coordinating the efforts of other engineers. To reduce the pressure and cognitive burden on its engineers, Monzo built Response to help coordinate and report incidents. Limit context switching Context switching during an incident is often unavoidable. Response aims to limit this, by enabling actions to be carried out without leaving the conversation.

fame - FAME Automates Malware Evaluation

•    Python

FAME is a recursive acronym meaning “FAME Automates Malware Evaluation”. It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.

intelmq - IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol

•    Python

IntelMQ is a solution for IT security teams (CERTs, CSIRTs, abuse departments,...) for collecting and processing security feeds (such as log files) using a message queuing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. See INSTALL.

OPCDE - OPCDE DXB 2017 + 2018 Materials

•    C++

OPCDE DXB 2017 + 2018 Materials

awesome-incident-response-pro-bono - This repository is a curated list of pro bono incident response entities

This repository is a curated list of pro bono incident response entities. This list should only contain entities that offer help for public so that people who are searchiung for support canchoose one of the below to get support. Access Now’s Digital Security Helpline works with individuals and organizations around the world to keep them safe online. If you’re at risk, we can help you improve your digital security practices to keep out of harm’s way. If you’re already under attack, we provide rapid-response emergency assistance.

wazuh-ansible - Wazuh - Ansible playbook

This playbooks installs and configure Wazuh agent, manager and Elastic Stack. The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem.

wazuh-api - Wazuh - RESTful API

•    Javascript

Wazuh API is an open source RESTful API to interact with Wazuh from your own application or with a simple web browser or tools like cURL. Our goal is to completely manage Wazuh remotely. Perform everyday actions like adding an agent, check configuration, or look for syscheck files are now simplest using Wazuh API.

wazuh-docker - Wazuh - Docker containers

•    Shell

In addition, a docker-compose file is provided to launch the containers mentioned above. It also launches an Elasticsearch container (working as a single-node cluster) using Elastic Stack Docker images. Containers are currently tested on Wazuh version 3.3.0 and Elastic Stack version 6.2.4. We will do our best to keep this repository updated to latest versions of both Wazuh and Elastic Stack.

wazuh-documentation - Wazuh - Project documentation

•    Python

Here you will find instructions to install and deploy Wazuh HIDS. If you want to contribute to this documentation (built using Sphinx) or our projects please head over to our Github repositories and submit pull requests.

wazuh-kibana-app - Wazuh - Kibana plugin

•    Javascript

Visualize and analyze Wazuh alerts stored in Elasticsearch using our Kibana app plugin. If you want to contribute to our project please don't hesitate to send a pull request. You can also join our users mailing list, by sending an email to mailto:wazuh+subscribe@googlegroups.com, to ask questions and participate in discussions.

wazuh-packages - Wazuh - Tools for packages creation

•    Shell

Wazuh is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

wazuh-puppet - Wazuh - Puppet module

•    Puppet

This module installs and configure Wazuh agent and manager. This Puppet module has been authored by Nicolas Zin, and updated by Jonathan Gazeley and Michael Porter. Wazuh has forked it with the purpose of maintaining it. Thank you to the authors for the contribution.

wazuh-ruleset - Wazuh - Ruleset

•    Python

Wazuh ruleset is used to detect attacks, intrusions, software misuse, configuration problems, application errors, malware, rootkits, system anomalies or security policy violations. The ruleset includes compliance mapping with PCI DSS v3.1 and CIS.

Analyst-CaseFile - Maltego CaseFile entities for information security investigations, malware analysis and incident response

Maltego CaseFile entities for information security investigations, malware analysis and incident response

osquery-configuration - A repository for using osquery for incident detection and response

This repository is the companion to the osquery Across the Enterprise blog post. The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is exactly what we have done with our unwanted-chrome-extensions query pack and additions to the windows-attacks pack.