Introduction

IntelOwl was designed with the intent to help the community, in particular those researchers that can not afford commercial solutions, in the generation of threat intelligence data, in a simple, scalable and reliable way.

Main features:

  • Provides enrichment of Threat Intel for malware as well as observables (IP, Domain, URL, hash, etc).

  • This application is built to scale out and to speed up the retrieval of threat info.

  • Thanks to the official libraries pyintelowl and go-intelowl, it can be integrated easily in your stack of security tools to automate common jobs usually performed, for instance, by SOC analysts manually.

  • Intel Owl is composed of:

    • analyzers that can be run to either retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internally available tools (like Yara or Oletools)

    • connectors that can be run to export data to external platforms (like MISP or OpenCTI)

    • visualizers that can be run to create custom visualizations of analyzers results

    • playbooks that are meant to make analysis easily repeatable

  • API REST written in Django and Python 3.9.

  • Built-in frontend client written in ReactJS, with certego-ui: provides features such as dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, etc.

Publications and media

To know more about the project and its growth over time, you may be interested in reading the following official blog posts and/or videos:

Feel free to ask everything it comes to your mind about the project to the author: Matteo Lodi (Twitter).

We also have a dedicated twitter account for the project: @intel_owl.