One of the tools I’m interested in is Firemon’s Immediate Insight.
I set it up at the house to look into how and what my Syslog traffic is doing. It’s amazing, and I’m sure I’ve just scratched the surface. I’ll probably have more as I break it down. I’ve already tightened down and blocked a bunch of Chinese, Russian, and Iranian IP ranges. I have a BUNCH more ‘blocks’ coming in, and this tool helped me discover the probing addresses.
Full disclosure: I work for Firemon, but I don’t have a relationship to this product outside knowing it exists and having a demo license I can use to toy with.