Having used a variety of paid tools that were subpar and expensive and spreadsheets that were ineffective at scale, I just wanted to share two projects that have been useful for small infosec teams.

FIR: https://github.com/certsocietegenerale/FIR First is FIR, a super lightweight improvement on a spreadsheet IR shop. I’d highly recommend this as a starting point for an IR team and it can be run from a docker to test before deploying to a vm. It has functional customization and reporting, as well as a good workflow system.

HiveIR: https://thehive-project.org/ Second is HiveIR, a much more complex system to setup and use, but links to IOC content through Cortex and has an in-depth CMS and workflow, with the additions of playbooks, etc. HiveIR is also available in docker form for testing before deployment.

I’d recommend starting with FIR and moving to HiveIR down the road for a small team, HiveIR can be overwhelming to start, maintain and learn; whereas FIR is easy to consume and use out of the box.