Sooty – A SOC Analysts Tool – Part I

 Sooty is a SOC analysts tool that would also work well for an individual intrusion analyst. It’s available at I’ve installed it on a Fedora test box at my day job; I’m going to install it on one of my laptops at home and go through the steps here as I had to track down a couple of dependencies to get it installed correctly on Fedora 32.

The SOC Analysts all-in-one CLI tool to automate and speed up workflow. – TheresAFewConors/Sooty
The first step is to become root and change to where you want to install it. I use the /opt directory for stand alone tools. 

Now use git to pull down the Sooty. You can use subversion as well if you like.

Change to the Sooty directory

To install the prereqs, run pip install -r requirements.txt

On Fedora, I don’t get a clean install becuase I’m missing libffi 

Install libffi

I’m still missing a prereq, Python.h
Install the devel package…

And run pip one last time…

And now we have satisfied all the requirements and gotten Sooty where it will run.

Are we done? Depends..

f you have API keys for Virustotal,, AbuseIPDB, HaveIBeenPwned or PhishTank, you need to make a copy of example_config.yaml, put your API keys on the appropriate lines and save it as config.yaml.
Otherwise, you can run the program, just not with the added functionality you would have if you have API keys.
That’s the install, at least for Fedora. Other distros may require other prereqs, or may not need any fiddling at all. In the second part, we’ll plug an API key in and start playing with the different options

*** This is a Security Bloggers Network syndicated blog from JeffSoh on NetSec authored by JeffSoh. Read the original post at: