Direct Link: https://github.com/intelowlproject/IntelOwl/
Last Commit: August 28th, 2024
Intel Owl
Do you want to get threat intelligence data about a malware, an IP address or a domain? Do you want to get this kind of data from multiple sources at the same time using a single API request?
You are in the right place!
IntelOwl is an Open Source solution for management of Threat Intelligence at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools.
Features
This application is built to scale out and to speed up the retrieval of threat info.
It provides:
- Enrichment of Threat Intel for files as well as observables (IP, Domain, URL, hash, etc).
- A Fully-fledged REST APIs written in Django and Python.
- An easy way to be integrated in your stack of security tools to automate common jobs usually performed, for instance, by SOC analysts manually. (Thanks to the official libraries pyintelowl and go-intelowl)
- A built-in GUI: provides features such as dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, etc.
- A framework composed of modular components called Plugins:
- analyzers that can be run to either retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internally available tools (like Yara or Oletools)
- connectors that can be run to export data to external platforms (like MISP or OpenCTI)
- pivots that are designed to trigger the execution of a chain of analysis and connect them to each other
- visualizers that are designed to create custom visualizations of analyzers results
- ingestors that allows to automatically ingest stream of observables or files to IntelOwl itself
- playbooks that are meant to make analysis easily repeatable
Documentation
We try hard to keep our documentation well written, easy to understand and always updated. All info about installation, usage, configuration and contribution can be found here
Publications and Media
To know more about the project and its growth over time, you may be interested in reading the official blog posts and/or videos about the project by clicking on this link
Available services or analyzers
You can see the full list of all available analyzers in the documentation.
| Type | Analyzers Available |
|---|---|
| Inbuilt modules | - Static Office Document, RTF, PDF, PE File Analysis and metadata extraction - Strings Deobfuscation and analysis (FLOSS, Stringsifter, ...) - PE Emulation with Qiling and Speakeasy - PE Signature verification - PE Capabilities Extraction (CAPA) - Javascript Emulation (Box-js) - Android Malware Analysis (Quark-Engine, ...) - SPF and DMARC Validator - Yara (a lot of public rules are available. You can also add your own rules) - more... |
| External services | - Abuse.ch MalwareBazaar/URLhaus/Threatfox/YARAify - GreyNoise v2 - Intezer - VirusTotal v3 - Crowdsec - URLscan - Shodan - AlienVault OTX - Intelligence_X - MISP - many more.. |
About the author and maintainers
Feel free to contact the main developers at any time on Twitter:
- Matteo Lodi: Author and principal maintainer
- Simone Berni: Backend Maintainer
- Daniele Rosetti: Frontend Maintainer
- Eshaan Bansal: Key Contributor
Consultancy
IntelOwl's maintainers are available to offer paid consultancy and mentorship.
