** PyIntelOwl-Parser is now integrated with the main CLI of the IntelOwl Project. Just add --sc when you run the main PyIntelOwl CLI to show results in a colourful way(https://github.com/intelowlproject/pyintelowl/releases/tag/1.1.0) **
All credits to the amazing platform - IntelOwl, created by Matteo Lodi (Twitter). This repo is made to make the results from the CLI tool, PyIntelOwl, easier to analyze.
IntelOwl is what I was looking for as an Intel analyst to check indicators across multiple sources at the same quickly.
Intelowl can be configured to reach out to VirusTotal, Hybrid Analysis etc. and return a JSON file as a result. Intelowl effectively provides an API to rule them all. All this "plugin" parser does, is to parse the JSON file colourfully returned by Intelowl, which is easier to read.
- Install IntelOwl (Got to the official repository here and follow the instructions. The instructions are very simple, you just need to clone the repo, have docker and docker-compose installed, set up the environment files as requested in the docs and execute docker-compose run.)
- Generate your api and paste it in file "api_token.txt"
- Git clone https://github.com/tsale/PyIntelOwl-Parser.git
- pip install geocoder
- Use it on a terminal that supports different colour outputs
Instructions on how to run the script have been taken from the original PyIntelOwl repo (https://github.com/intelowlproject/pyintelowl) with the exception of one added argument: "-j / --show-json"
python3 intel_owl_client.py -h
"-k", "--api-token-file", default=DEFAULT_TOKEN_FILE, help=f"File containing IntelOwl's API token. Default: '{DEFAULT_TOKEN_FILE}'"
"-c", "--certificate", path to Intel Owl certificate
"-i", "--instance", your instance URL (required)
"-d", "--debug", debug mode
"-l", "--log-to-file", log to specified file
"-gc", "--get-configuration", get analyzers configuration only
"-a", "--analyzers-list", list of analyzers to launch
"-aa", "--run-all-available-analyzers", run all available and compatible analyzers
"-p", "--force-privacy", disable analyzers that could impact privacy
"-e", "--disable-external-analyzers", disable analyzers that use external services
"-r", "--check-reported-analysis-too", check reported analysis too, not only 'running' ones
"-s", "--skip-check-analysis-availability", skip check analysis availability
"-j", "--show-json", Show JSON raw results
"-f", "--file", file to analyze
"-v", "--value", observable to analyze
2 Submodules: file and observable
Example:
python3 intel_owl_client.py -k <api_token_file> -i <url> -a PE_Info -a File_Info file -f <path_to_file>
Run all available analyzers (some of them could fail if you did not implement the required configuration in the IntelOwl server):
python3 intel_owl_client.py -k <api_token_file> -i <url> -aa file -f <path_to_file>
Example:
python3 intel_owl_client.py -k <api_token_file> -i <url> -a AbuseIPDB -a OTXQuery observable -v google.com
Currently, I am only parsing the results returned for the services below for the equivalent observables.
Domains
- VirusTotal
- Hybrid Analysis
- OTXQuery
Hash
- VirusTotal
- Hybrid Analysis
- OTXQuery
IP
- Virustotal
- Hybrid Analysis
- OTXQuery
- AlouselPDB
- Lencys_Search
- Grey Noise
If you like the idea but not the execution, feel free to improve the parser and drop me a note with the changes. Personally, it does the job, and it's useful for my intended use.
