/IntelOwl

Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

Intel Owl

GitHub release (latest by date) GitHub Repo stars Docker Twitter Follow Official Site Live Demo

CodeFactor Code style: black Imports: isort CodeQL Dependency Review Build & Tests codecov

Intel Owl

Do you want to get threat intelligence data about a malware, an IP or a domain? Do you want to get this kind of data from multiple sources at the same time using a single API request?

You are in the right place!

Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools. It is for everyone who needs a single point to query for info about a specific file or observable.

Features

  • Provides enrichment of Threat Intel for malware as well as observables (IP, Domain, URL, hash, etc).
  • This application is built to scale out and to speed up the retrieval of threat info.
  • It can be integrated easily in your stack of security tools (pyintelowl) to automate common jobs usually performed, for instance, by SOC analysts manually.
  • Intel Owl is composed of:
    • analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internally available tools (like Yara or Oletools)
    • connectors that can be run to export data to external platforms
  • API REST written in Django and Python 3.9.
  • Built-in frontend client written in ReactJS, with certego-ui: provides features such as dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, etc.

Documentation Documentation Status

Documentation about IntelOwl installation, usage, configuration and contribution can be found at https://intelowl.readthedocs.io/.

Blog posts

To know more about the project and it's growth over time, you may be interested in reading the following:

Available services or analyzers

You can see the full list of all available analyzers in the documentation.

Type Analyzers Available
Inbuilt modules - Static Office Document, RTF, PDF, PE File Analysis and metadata extraction
- Strings Deobfuscation and analysis (FLOSS, Stringsifter, ...)
- PE Emulation with Qiling and Speakeasy
- PE Signature verification
- PE Capabilities Extraction (CAPA)
- Javascript Emulation (Box-js)
- Android Malware Analysis (Quark-Engine, ...)
- SPF and DMARC Validator
- more...
External services - Dragonfly malware sandbox
- Abuse.ch MalwareBazaar/Threatfox/YARAify
- GreyNoise v2
- Intezer
- VirusTotal v2+v3
- HybridAnalysis
- URLscan
- Shodan
- AlienVault OTX
- Intelligence_X
- many more..
Free modules that require additional configuration - Cuckoo (requires at least one working Cuckoo instance)
- MISP (requires at least one working MISP instance)
- Yara (a lot of public rules area available. There's also the chance to add your own rules)

Partnerships and sponsors

We have an official sponsorship program for companies, organizations and individuals who support IntelOwl development. For more details on how to join the list below, read the page: Partnership and sponsors.

🥇 GOLD

Certego

Certego Logo

Certego is a MDR (Managed Detection and Response) and Threat Intelligence Provider based in Italy.

IntelOwl was born out of Certego's Threat intelligence R&D division and is constantly maintained and updated thanks to them.

Dragonfly, an automated sandbox to emulate and analyze malware, is a new public service by Certego developed by the same team behind IntelOwl. It is now available as the Dragonfly_Emulation analyzer in IntelOwl. Sign up on Dragonfly today for free access!

The Honeynet Project

Honeynet.org logo

The Honeynet Project is a non-profit organization working on creating open source cyber security tools and sharing knowledge about cyber threats.

Thanks to Honeynet, we are hosting a public demo of the application here. If you are interested, please contact a member of Honeynet to get access to the public service.

Since its birth, under the umbrella of this organization, this project has been participating in the Google Summer of Code (GSoC)!

Project Summaries and/or in-development projects:

If you are interested in being the next GSoC developer for IntelOwl, join the Honeynet Slack chat for more info. This is also the place where the majority of the development discussion happens, so feel free to join, have a look and ask questions about the project.

(Plus we started a new project called GreedyBear that will be proposed to the GSoC too starting from 2022)

🥈 SILVER

Milton Security

Milton Security logo

Milton Security is a Service Disabled Veteran Owned Small Business that provides effective Threat Hunting and Incident Response to organizations around the globe 24*7

🥉 BRONZE

LimaCharlie

LimaCharlie logo

LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility into your coverage, build what you want, control your data, get the security capabilities you need, for however long you need them, and pay only for what you use.

Read everything about this partnership in the LimaCharlie's blog.

Tines

Tines logo

Tines is no-code automation for security teams. Build powerful, reliable workflows without a development team.

IntelOwl is officially integrated in Tines. Read everything about this partnership in the Tines' blog.

Docker

Docker logo

In 2021 IntelOwl joined the official Docker Open Source Program. This allows IntelOwl developers to easily manage Docker images and focus on writing the code.

🤝 IRON

If you are an individual who likes this project and want to thank us with a little contribution, we would be happy to list you here in the README as a public acknowledgment.

About the author and maintainers

Feel free to contact the main developers at any time on twitter: