IntelOwl module With DFIR IRIS

Question

IntelOwl module With DFIR IRIS

Closed this issue 7 months ago · 15 comments

keid2000 commented 8 months ago

Trying to integrate the IntelOwl module with IRIS.

But I get this error.

Answer 1 · 2024-02-07T18:05:23.000Z

can you please tell us which version of pyintelowl are you running? and which version of IntelOwl are you using?

Answer 2 · 2024-02-07T18:25:09.000Z

I discovered I do not have pyintelowl.

But I downloaded it, and this is my version 4.4.5.

How can I know the version of IntelOwl?

Answer 3 · 2024-02-07T18:28:05.000Z

if you go to the homepage of the project, you'll have the version on the top left of the page. Have you just cloned and installed it?

I don't know if you can leverage or not pyintelowl in that integration but, if you can, that is the preferred method to integrate with IntelOwl

Answer 4 · 2024-02-07T19:30:57.000Z

Sorry for not giving more information.

Yes, I clone it and installed.

Here is the Method that DIFR IRIS use it to integrate with intelOwi:

https://github.com/dfir-iris/iris-intelowl-module

Answer 5 · 2024-02-08T15:20:09.000Z

ah I wasn't aware of that module. I remember having talked with Iris' guys about an integration but nothing else.
So yes, I guess that the problem is about compatibility. We have made changes to IntelOwl that could have broken old custom client implementations.

I see that the specific module leverages pyintelowl internally (https://github.com/dfir-iris/iris-intelowl-module/blob/main/setup.py)
I have done some manual tests and I noticed the problem. I fixed the pyintelowl client and I just made a new version 4.4.6. Considering that the Iris module leverages pyintelowl>4.4.0, I think you could just re-install that module and you would get the most recent version of pyintelowl together with it.
Please try and let me know

Answer 6 · 2024-02-08T15:45:09.000Z

Thanks for your effort and your manual test.

To make sure I understand, on the IntelOWi server, I do not need to update anything on it considering my version is 5.2.3.

What I need to do is re-install the modules that exist in IRIS that are reasonable for IntelOWi integration.

I will try it and let you know!
Thanks very much!

Answer 7 · 2024-02-09T08:19:50.000Z

It solve the first error, but we have a new one right now:

400 Client Error: Bad Request for url: http://192.168.193.154/api/analyze_observable. Details: {'errors': {'detail': ['No Analyzers can be run after filtering:\n']}}. Details: None

Do I have to configure all analyzers on Intel Owl? Do I need to add an organization first?

Here is summary of what I did:

I generate API from Intel Owl

I put the IP and the API of Intel Owl in IRIS

Answer 8 · 2024-02-09T08:39:07.000Z

Ok I think I got the second problem (they are all related to the fact the IntelOwl server changed over time with major releases which can break old integrations but this iris module hasn't been updated as a consequence)

Once upon a time, if the client did not set any analyzer, IntelOwl would have executed all the available ones by default.
This does not happen anymore, hence the problem you discovered.
Why? That's because we have a new concept which is called "Playbook" : basically they are a set of preconfigured analyzers. This is the preferred method now to integrate with IntelOwl.
To make this change we would need to make a patch to the IRIS module to have it use this new feature and leverage the default Playbook called "FREE_TO_USE_ANALYZERS" at least.
I'll make a patch for the main repository but then you'll have to wait for them to merge it. Once I have done it, I'll link here the PR. Please add a comment to let them know that you need this so they may solve the problem earlier.

Answer 9 · 2024-02-09T08:42:54.000Z

I think this could work once merged: https://github.com/dfir-iris/iris-intelowl-module/pull/1/files

Answer 10 · 2024-02-09T08:47:40.000Z

Thanks for your clarification.

I will add a comment in their repository.

and I will try the intelowl_handler.py until the patch to the IRIS module is finished.

Answer 11 · 2024-02-09T10:16:35.000Z

I love you. It works when I apply the last changes!

Answer 12 · 2024-02-09T10:19:17.000Z

cool!

If you want to use IntelOwl even more deeper (for example analyze the ioc in different ways, with other playbooks), there's room to make additional changes to that module and allow to specify which playbook to leverage (in that way it would emaulate the "Scan" page behavior in IntelOwl)

Answer 13 · 2024-02-09T10:19:19.000Z

Please can you add playbooks as a value like

Main IntelOwl URL http://192.168.1.44 True
Main IntelOwl API key *************** True
Main IntelOwl playbook FREE_TO_USE_ANALYZERS True

so that we can use every playbook that we have configured in IntelOWL.

Answer 14 · 2024-02-09T11:51:19.000Z

cool!

If you want to use IntelOwl even more deeper (for example analyze the ioc in different ways, with other playbooks), there's room to make additional changes to that module and allow to specify which playbook to leverage (in that way it would emaulate the "Scan" page behavior in IntelOwl)

Where I can find this room?

Answer 15 · 2024-02-22T11:58:22.000Z

meanwhile closing this as problem solved. Additional integrations with Iris should be opened directly on the IRIS github projects