IntelOwl module With DFIR IRIS
Closed this issue · 15 comments
can you please tell us which version of pyintelowl
are you running? and which version of IntelOwl are you using?
I discovered I do not have pyintelowl.
But I downloaded it, and this is my version 4.4.5.
How can I know the version of IntelOwl?
if you go to the homepage of the project, you'll have the version on the top left of the page. Have you just cloned and installed it?
I don't know if you can leverage or not pyintelowl in that integration but, if you can, that is the preferred method to integrate with IntelOwl
Sorry for not giving more information.
Yes, I clone it and installed.
Here is the Method that DIFR IRIS use it to integrate with intelOwi:
ah I wasn't aware of that module. I remember having talked with Iris' guys about an integration but nothing else.
So yes, I guess that the problem is about compatibility. We have made changes to IntelOwl that could have broken old custom client implementations.
I see that the specific module leverages pyintelowl
internally (https://github.com/dfir-iris/iris-intelowl-module/blob/main/setup.py)
I have done some manual tests and I noticed the problem. I fixed the pyintelowl
client and I just made a new version 4.4.6
. Considering that the Iris module leverages pyintelowl>4.4.0
, I think you could just re-install that module and you would get the most recent version of pyintelowl together with it.
Please try and let me know
Thanks for your effort and your manual test.
To make sure I understand, on the IntelOWi server, I do not need to update anything on it considering my version is 5.2.3.
What I need to do is re-install the modules that exist in IRIS that are reasonable for IntelOWi integration.
I will try it and let you know!
Thanks very much!
It solve the first error, but we have a new one right now:
400 Client Error: Bad Request for url: http://192.168.193.154/api/analyze_observable. Details: {'errors': {'detail': ['No Analyzers can be run after filtering:\n']}}. Details: None
Do I have to configure all analyzers on Intel Owl? Do I need to add an organization first?
Here is summary of what I did:
- I generate API from Intel Owl
- I put the IP and the API of Intel Owl in IRIS
Ok I think I got the second problem (they are all related to the fact the IntelOwl server changed over time with major releases which can break old integrations but this iris module hasn't been updated as a consequence)
Once upon a time, if the client did not set any analyzer, IntelOwl would have executed all the available ones by default.
This does not happen anymore, hence the problem you discovered.
Why? That's because we have a new concept which is called "Playbook" : basically they are a set of preconfigured analyzers. This is the preferred method now to integrate with IntelOwl.
To make this change we would need to make a patch to the IRIS module to have it use this new feature and leverage the default Playbook called "FREE_TO_USE_ANALYZERS" at least.
I'll make a patch for the main repository but then you'll have to wait for them to merge it. Once I have done it, I'll link here the PR. Please add a comment to let them know that you need this so they may solve the problem earlier.
I think this could work once merged: https://github.com/dfir-iris/iris-intelowl-module/pull/1/files
Thanks for your clarification.
I will add a comment in their repository.
and I will try the intelowl_handler.py until the patch to the IRIS module is finished.
cool!
If you want to use IntelOwl even more deeper (for example analyze the ioc in different ways, with other playbooks), there's room to make additional changes to that module and allow to specify which playbook to leverage (in that way it would emaulate the "Scan" page behavior in IntelOwl)
Please can you add playbooks as a value like
Main IntelOwl URL http://192.168.1.44 True
Main IntelOwl API key *************** True
Main IntelOwl playbook FREE_TO_USE_ANALYZERS True
so that we can use every playbook that we have configured in IntelOWL.
cool!
If you want to use IntelOwl even more deeper (for example analyze the ioc in different ways, with other playbooks), there's room to make additional changes to that module and allow to specify which playbook to leverage (in that way it would emaulate the "Scan" page behavior in IntelOwl)
Where I can find this room?
meanwhile closing this as problem solved. Additional integrations with Iris should be opened directly on the IRIS github projects