Usage
This page includes the most important things to know and understand when using IntelOwl.
Client
Intel Owl main objective is to provide a single API interface to query in order to retrieve threat intelligence at scale.
There are multiple ways to interact with the Intel Owl APIs,
Web Interface
Built-in Web interface with dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, tags management and more features
Built with Create React App and based on certego-ui.
pyIntelOwl (CLI/SDK)
Official Python client that is available at: PyIntelOwl,
Can be used as a library for your own python projects or…
directly via the command line interface.
goIntelOwl (CLI/SDK)
Official GO client that is available at: go-intelowl
Hint: Tokens Creation
The server authentication is managed by API tokens. So, if you want to interact with Intel Owl, you have two ways to do that:- If you are a normal user, you can go to the "API Access/Sessions" section of the GUI and create a Token there.
- If you are an administrator of IntelOwl, you can create one or more unprivileged users from the Django Admin Interface and then generate a token for those users.
Organizations and User management
Starting from IntelOwl v4, a new “Organization” section is available on the GUI. This section substitute the previous permission management via Django Admin and aims to provide an easier way to manage users and visibility.
Multi Tenancy
Thanks to the “Organization” feature, IntelOwl can be used by multiple SOCs, companies, etc…very easily. Right now it works very simply: only users in the same organization can see analysis of one another. An user can belong to an organization only.
Manage organizations
You can create a new organization by going to the “Organization” section, available under the Dropdown menu you cand find under the username.
Once you create an organization, you are the unique Administrator of that organization. So you are the only one who can delete the organization, remove users and send invitations to other users.
Accept Invites
Once an invite has sent, the invited user has to login, go to the “Organization” section and accept the invite there. Afterwards the Administrator will be able to see the user in his “Organization” section.
Plugins Params and Secrets
From IntelOwl v4.1.0, Plugin Parameters and Secrets can be defined at the organization level, in the dedicated section. This allows to share configurations between users of the same org while allowing complete multi-tenancy of the application.
Disable Analyzers at Org level
From IntelOwl v4.1.0, the org admin can disable specific analyzers for all the users in a specific org. To do that, org admins needs to go in the “Plugins” section and click the button “Enabled for organization” of the analyzer that they want to disable.
Registration
Since IntelOwl v4.2.0 we added a Registration Page that can be used to manage Registration requests when providing IntelOwl as a Service.
After a user registration has been made, an email is sent to the user to verify their email address. If necessary, there are buttons on the login page to resend the verification email and to reset the password.
Once the user has verified their email, they would be manually vetted before being allowed to use the IntelOwl platform. The registration requests would be handled in the Django Admin page by admins. If you have IntelOwl deployed on an AWS instance with an IAM role you can use the SES service.
To have the “Registration” page to work correctly, you must configure some variables before starting IntelOwl. See Optional Environment Configuration
In a development environment the emails that would be sent are written to the standard output.
Recaptcha configuration
The Registration Page contains a Recaptcha form from Google. By default, that Recaptcha is not configured and is not shown.
If your intention is to publish IntelOwl as a Service you should first remember to comply to the AGPL License.
Then you need to add the generated Recaptcha Secret in the RECAPTCHA_SECRET_KEY_IO_PUBLIC
value in the env_file_app
file. Plus you would need to remember to set to True
the PUBLIC_DEPLOYMENT
variable too.
Afterwards you should configure the Recaptcha Key for your site and add that value in the RECAPTCHA_SITEKEY
in the docker/env_template.js
file.
In that case, you would need to re-build the application to have the changes properly reflected.
Plugins
Plugins are the core modular components of IntelOwl that can be easily added, changed and customized. There are 3 types of plugins:
Analyzers
Analyzers are the most important plugins in IntelOwl. They allow to perform data extraction on the observables and/or files that you would like to analyze.
Analyzers list
The following is the list of the available analyzers you can run out-of-the-box. You can also navigate the same list via the
Graphical Interface: once your application is up and running, go to the “Plugins” section
pyintelowl:
$ pyintelowl get-analyzer-config
File analyzers:
Internal tools
APKiD
: APKiD identifies many compilers, packers, obfuscators, and other weird stuff from an APK or DEX file.BoxJS_Scan_Javascript
: Box-JS is a tool for studying JavaScript malware.Capa_Info
: Capa detects capabilities in executable filesCapa_Info_Shellcode
: Capa detects capabilities in shellcodeClamAV
: scan a file via the ClamAV AntiVirus Engine. IntelOwl automatically keep ClamAV updated with official and unofficial open source signaturesDoc_Info
: static document analysis with new features to analyze XLM macros, encrypted macros and more (combination of Oletools and XLMMacroDeobfuscator)ELF_Info
: static ELF analysis with pyelftools and telfhashFile_Info
: static generic File analysis (hashes, magic and exiftool)Floss
: Mandiant Floss Obfuscated String Solver in filesPE_Info
: static PE analysis with pefilePEframe_Scan
: Perform static analysis on Portable Executable malware and malicious MS Office documents with PeFrameQiling_Linux
: Qiling qiling linux binary emulation.Qiling_Linux_Shellcode
: Qiling qiling linux shellcode emulation.Qiling_Windows
: Qiling qiling windows binary emulation.Qiling_Windows_Shellcode
: Qiling qiling windows shellcode emulation.Quark_Engine
: Quark Engine is an Obfuscation-Neglect Android Malware Scoring System.Rtf_Info
: static RTF analysis (Oletools)Signature_Info
: PE signature extractor with osslsigncodeSpeakeasy
: Mandiant Speakeasy binary emulationSpeakEasy_Shellcode
: Mandiant Speakeasy shellcode emulationStrings_Info
: Strings extraction. Leverages Mandiant’s StringsifterSuricata
: Analyze PCAPs with open IDS signatures with Suricata engineThug_HTML_Info
: Perform hybrid dynamic/static analysis on a HTML file using Thug low-interaction honeyclientXlm_Macro_Deobfuscator
: XlmMacroDeobfuscator deobfuscate xlm macrosYara
: scan a file withyour own added signatures. See Advanced-Usage for more details.
External services
CapeSandbox
: CAPESandbox automatically scans suspicious files using the CapeSandbox API. Analyzer works for private instances as well.Cymru_Hash_Registry_Get_File
: Check if a particular file is known to be malware by Team CymruCuckoo_Scan
: scan a file on Cuckoo (this analyzer is disabled by default. You have to change that flag in the config to use it)DocGuard_Upload_File
: Analyze office files in seconds. DocGuard.Dragonfly_Emulation
: Emulate malware against Dragonfly sandbox by Certego S.R.L.FileScan_Upload_File
: Upload your file to extract IoCs from executable files, documents and scripts via FileScan.io API.HashLookupServer_Get_File
: check if a md5 or sha1 is available in the database of known file hosted by CIRCLHybridAnalysis_Get_File
: check file hash on HybridAnalysis sandbox reportsIntezer_Scan
: scan a file on Intezer. Register for a free community account hereMalpedia_Scan
: scan a binary or a zip file (pwd:infected) against all the yara rules available in MalpediaMalwareBazaar_Get_File
: Check if a particular malware sample is known to MalwareBazaarMISPFIRST_Check_Hash
: check a file hash on the FIRST MISP instanceMISP_Check_Hash
: check a file hash on a MISP instanceMWDB_Scan
: mwdblib Retrieve malware file analysis from repository maintained by CERT Polska MWDB.OTX_Check_Hash
: check file hash on Alienvault OTXSublimeSecurity
: Analyze an Email with Sublime Security live flowTriage_Scan
: leverage Triage sandbox environment to scan various filesUnpacMe
: UnpacMe is an automated malware unpacking serviceVirushee_Upload_File
: Check file hash and upload file sample for analysis on Virushee API.VirusTotal_v3_Get_File_And_Scan
: check file hash on VirusTotal. If not already available, send the sample and perform a scanVirusTotal_v3_Get_File
: check only the file hash on VirusTotal (this analyzer is disabled by default to avoid multiple unwanted queries. You have to change that flag in the config to use it)VirusTotal_v2_Get_File
: check file hash on VirusTotal using old API endpoints (this analyzer is disabled by default. You have to change that flag in the config to use it)VirusTotal_v2_Scan_File
: scan a file on VirusTotal using old API endpoints (this analyzer is disabled by default. You have to change that flag in the config to use it)YARAify_File_Scan
: scan a file against public and non-public YARA and ClamAV signatures in YARAify public serviceYARAify_File_Search
: scan an hash against YARAify database
Observable analyzers (ip, domain, url, hash)
Internal tools
CheckDMARC
: An SPF and DMARC DNS records validator for domains.DNStwist
: Scan a url/domain to find potentially malicious permutations via dns fuzzing. dnstwist repoThug_URL_Info
: Perform hybrid dynamic/static analysis on a URL using Thug low-interaction honeyclient
External services
AbuseIPDB
: check if an ip was reported on AbuseIPDBAnomali_Threatstream_PassiveDNS
: Return information from passive dns of Anomali. On Anomali Threatstream PassiveDNS Api.Auth0
: scan an IP against the Auth0 APIBinaryEdge
: Details about an Host. List of recent events for the specified host, including details of exposed ports and services using IP query and return list of subdomains known from the target domains using domain queryBitcoinAbuse
: Check a BTC address against bitcoinabuse.com, a public database of BTC addresses used by hackers and criminals.Censys_Search
: scan an IP address against Censys View APICheckPhish
: CheckPhish can detect phishing and fraudulent sites.CIRCLPassiveDNS
: scan an observable against the CIRCL Passive DNS DBCIRCLPassiveSSL
: scan an observable against the CIRCL Passive SSL DBClassic_DNS
: Retrieve current domain resolution with default DNSCloudFlare_DNS
: Retrieve current domain resolution with CloudFlare DoH (DNS over HTTPS)CloudFlare_Malicious_Detector
: Leverages CloudFlare DoH to check if a domain is related to malwareCrowdsec
: check if an IP was reported on Crowdsec Smoke DatasetCymru_Hash_Registry_Get_Observable
: Check if a particular hash is available in the malware hash registry of Team CymruDNSDB
: scan an observable against the Passive DNS Farsight Database (support both v1 and v2 versions)DNS0_EU
: Retrieve current domain resolution with DNS0.eu DoH (DNS over HTTPS)DNS0_EU_Malicious_Detector
: Check if a domain or an url is marked as malicious in DNS0.eu database (Zero service)DocGuard_Get
: check if an hash was analyzed on DocGuard. DocGuardFileScan_Search
: Finds reports and uploaded files by various tokens, like hash, filename, verdict, IOCs etc via FileScan.io API.FireHol_IPList
: check if an IP is in FireHol’s IPListGoogleSafebrowsing
: Scan an observable against GoogleSafeBrowsing DBGoogleWebRisk
: Scan an observable against WebRisk API (Commercial version of Google Safe Browsing). Check the docs to enable this properlyGoogle_DNS
: Retrieve current domain resolution with Google DoH (DNS over HTTPS)GreedyBear
: scan an IP or a domain against the GreedyBear API (requires API key)GreyNoise
: scan an IP against the Greynoise API (requires API key)GreyNoiseCommunity
: scan an IP against the Community Greynoise API (requires API key))HashLookupServer_Get_Observable
: check if a md5 or sha1 is available in the database of known file hosted by CIRCLHoneyDB_Get
: HoneyDB IP lookup serviceHoneyDB_Scan_Twitter
: scan an IP against HoneyDB.io’s Twitter Threat FeedHunter_How
: Scans IP and domain against Hunter_How API.Hunter_Io
: Scans a domain name and returns set of data about the organisation, the email address found and additional information about the people owning those email addresses.HybridAnalysis_Get_Observable
: search an observable in the HybridAnalysis sandbox reportsInQuest_DFI
: Deep File Inspection by InQuest LabsInQuest_IOCdb
: Indicators of Compromise Database by InQuest LabsInQuest_REPdb
: Search in InQuest Lab’s Reputation DatabaseIPApi
: Get information about IPs using batch-endpoint and DNS using DNS-endpoint.IPInfo
: Location Information about an IPIntezer_Get
: check if an analysis related to a hash is available in Intezer. Register for a free community account here.Koodous
: koodous API get information about android malware.MalwareBazaar_Get_Observable
: Check if a particular malware hash is known to MalwareBazaarMalwareBazaar_Google_Observable
: Check if a particular IP, domain or url is known to MalwareBazaar using google searchMaxMindGeoIP
: extract GeoIP info for an observableMISP
: scan an observable on a MISP instanceMISPFIRST
: scan an observable on the FIRST MISP instanceMnemonic_PassiveDNS
: Look up a domain or IP using the Mnemonic PassiveDNS public API.MWDB_Get
: mwdblib Retrieve malware file analysis by hash from repository maintained by CERT Polska MWDB.ONYPHE
: search an observable in ONYPHEOpenCTI
: scan an observable on an OpenCTI instanceOTXQuery
: scan an observable on Alienvault OTXPhishstats
: Search PhishStats API to determine if an IP/URL/domain is malicious.Phishtank
: Search an url against Phishtank APIPhishingArmy
: Search an observable in the PhishingArmy blocklistPulsedive
: Scan indicators and retrieve results from Pulsedive’s API.Quad9_DNS
: Retrieve current domain resolution with Quad9 DoH (DNS over HTTPS)Quad9_Malicious_Detector
: Leverages Quad9 DoH to check if a domain is related to malwareRobtex
: scan a domain/IP against the Robtex Passive DNS DBSecuritytrails
: scan an IP/Domain against Securitytrails APIShodan_Honeyscore
: scan an IP against Shodan Honeyscore APIShodan_Search
: scan an IP against Shodan Search APISpyse
: Scan domains, IPs, emails and CVEs using Spyse’s API. Register here.SSAPINet
: get a screenshot of a web page using screenshotapi.net (external source); additional config options can be added toextra_api_params
in the config.Stalkphish
: Search Stalkphish API to retrieve information about a potential phishing site (IP/URL/domain/Generic).Stratosphere_Blacklist
: Cross-reference an IP from blacklists maintained by Stratosphere LabsTalosReputation
: check an IP reputation from TalosThreatFox
: search for an IOC in ThreatFox’s databaseThreatminer
: retrieve data from Threatminer APITorProject
: check if an IP is a Tor Exit NodeTriage_Search
: Search for reports of observables or upload from URL on triage cloudTranco
: Check if a domain is in the latest Tranco ranking top sites listURLhaus
: Query a domain or URL against URLhaus API.UrlScan_Search
: Search an IP/domain/url/hash against URLScan APIUrlScan_Submit_Result
: Submit & retrieve result of an URL against URLScan APIVirushee_CheckHash
: Search for a previous analysis of a file by its hash (SHA256/SHA1/MD5) on Virushee API.VirusTotal_v3_Get_Observable
: search an observable in the VirusTotal DBWhoisxmlapi
: Fetch WHOIS record data, of a domain name, an IP address, or an email address.WhoIs_RipeDB_Search
: Fetch whois record data of an IP address from Ripe DB using their search API (no API key required)XForceExchange
: scan an observable on IBM X-Force ExchangeYARAify_Search
: lookup a file hash in Abuse.ch YARAifyYETI
(Your Everyday Threat Intelligence): scan an observable on a YETI instance.Zoomeye
: Zoomeye Cyberspace Search Engine recording information of devices, websites, services and components etc..
Generic analyzers (email, phone number, etc.; anything really)
Some analyzers require details other than just IP, URL, Domain, etc. We classified them as generic
Analyzers. Since the type of field is not known, there is a format for strings to be followed.
Internal tools
CyberChef
: Run a query on a CyberChef server using pre-defined or custom recipes.
External services
Anomali_Threatstream_Confidence
: Give max, average and minimum confidence of maliciousness for an observable. On Anomali Threatstream Confidence API.Anomali_Threatstream_Intelligence
: Search for threat intelligence information about an observable. On Anomali Threatstream Intelligence API.CRXcavator
: scans a chrome extension against crxcavator.ioCryptoScamDB_CheckAPI
: Scan a cryptocurrency address, IP address, domain or ENS name against the CryptoScamDB API.Dehashed_Search
: Query any observable/keyword against https://dehashed.com’s search API.EmailRep
: search an email address on emailrep.ioHaveIBeenPwned
: HaveIBeenPwned checks if an email address has been involved in a data breachIntelX_Intelligent_Search
: IntelligenceX is a search engine and data archive. Fetches emails, urls, domains associated with an observable or a generic string.IntelX_Phonebook
: IntelligenceX is a search engine and data archive. Fetches emails, urls, domains associated with an observable or a generic string.MISP
: scan an observable on a MISP instanceVirusTotal_v3_Intelligence_Search
: Perform advanced queries with VirusTotal Intelligence (requires paid plan)WiGLE
: Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.YARAify_Generics
: lookup a YARA rule (default), ClamAV rule, imphash, TLSH, telfhash or icon_dash in YARAify
Optional analyzers
Some analyzers are optional and need to be enabled explicitly.
Analyzers Customization
You can create, modify, delete analyzers based on already existing modules by changing the configuration values inside the Django Admin interface at: /admin/connectors_manager/analyzerreport/
.
The following are all the keys that you can change without touching the source code:
name
: Name of the analyzerdescription
: Description of the analyzerpython_module
: Python path of the class that will be executeddisabled
: you can choose to disable certain analyzers, then they won’t appear in the dropdown list and won’t run if requested.leaks_info
: if set, in the case you specify via the API that a resource is sensitive, the specific analyzer won’t be executedexternal_service
: if set, in the case you specify via the API to exclude external services, the specific analyzer won’t be executedsupported_filetypes
: can be populated as a list. If set, if you ask to analyze a file with a different mimetype from the ones you specified, it won’t be executednot_supported_filetypes
: can be populated as a list. If set, if you ask to analyze a file with a mimetype from the ones you specified, it won’t be executedobservable_supported
: can be populated as a list. If set, if you ask to analyze an observable that is not in this list, it won’t be executed. Valid values are:ip
,domain
,url
,hash
,generic
.config
:soft_time_limit
: this is the maximum time (in seconds) of execution for an analyzer. Once reached, the task will be killed (or managed in the code by a custom Exception). Default300
.queue
: this takes effects only when multi-queue is enabled. Choose which celery worker would execute the task:local
(ideal for tasks that leverage local applications like Yara),long
(ideal for long tasks) ordefault
(ideal for simple webAPI-based analyzers). Sometimes, it may happen that you would like to create a new analyzer very similar to an already existing one. Maybe you would like to just change the description and the default parameters. A helpful way to do that without having to copy/pasting the entire configuration, is to click on the analyzer that you want to copy, make the desired changes, and click thesave as new
button.
Hint: Advanced Configuration
You can also modify analyzer specific parameters directly from the GUI. See Customize analyzer execution at time of requestConnectors
Connectors are designed to run after every successful analysis which makes them suitable for automated threat-sharing. They support integration with other SIEM/SOAR projects, specifically aimed at Threat Sharing Platforms.
Connectors list
The following is the list of the available connectors. You can also navigate the same list via the
Graphical Interface: once your application is up and running, go to the “Plugins” section
pyintelowl:
$ pyintelowl get-connector-config
List of pre-built Connectors
MISP
: automatically creates an event on your MISP instance, linking the successful analysis on IntelOwl.OpenCTI
: automatically creates an observable and a linked report on your OpenCTI instance, linking the the successful analysis on IntelOwl.YETI
: YETI = Your Everyday Threat Intelligence. find or create observable on YETI, linking the successful analysis on IntelOwl.
Connectors customization
Connectors being optional are enabled
by default.
You can disable them or create new connectors based on already existing modules by changing the configuration values inside the Django Admin interface at: /admin/connectors_manager/connectorreport/
.
The following are all the keys that you can change without touching the source code:
name
: same as analyzersdescription
: same as analyzerspython_module
: same as analyzersdisabled
: same as analyzersconfig
:queue
: same as analyzerssoft_time_limit
: same as analyzers
maximum_tlp
(defaultCLEAR
, choicesCLEAR
,GREEN
,AMBER
,RED
): specify the maximum TLP of the analysis up to which the connector is allowed to run. (e.g. ifmaximum_tlp
isGREEN
, it would run for analysis with TLPsWHITE
andGREEN
). To learn more about TLPs see TLP Support.run_on_failure
(default:true
): if they can be run even if the job has statusreported_with_fails
Warning
Changing other keys can break a connector. In that case, you should think about duplicating the configuration entry or python module with your changes.Managing Analyzers and Connectors
All plugins i.e. analyzers and connectors have kill
and retry
actions. In addition to that, all docker-based analyzers and connectors have a healthcheck
action to check if their associated instances are up or not.
kill:
To stop a plugin whose status is
running
/pending
:GUI: Buttons on reports table on job result page.
PyIntelOwl:
IntelOwl.kill_analyzer
andIntelOwl.kill_connector
function.CLI:
$ pyintelowl jobs kill-analyzer <job_id> <analyzer_name>
and$ pyintelowl jobs kill-connector <job_id> <connector_name>
API:
PATCH /api/job/{job_id}/analyzer/{analyzer_name}/kill
andPATCH /api/job/{job_id}/connector/{connector_name}/kill
retry:
To retry a plugin whose status is
failed
/killed
:GUI: Buttons on reports table on job result page.
PyIntelOwl:
IntelOwl.retry_analyzer
andIntelOwl.retry_connector
function,CLI:
$ pyintelowl jobs retry-analyzer <job_id> <analyzer_name>
and$ pyintelowl jobs retry-connector <job_id> <connector_name>
API:
PATCH /api/job/{job_id}/analyzer/{analyzer_name}/retry
andPATCH /api/job/{job_id}/connector/{connector_name}/retry
healthcheck:
To check if docker container or external platform associated with an analyzer or connector respectively are up or not:
GUI: Buttons on analyzers table and connectors table.
PyIntelOwl:
IntelOwl.analyzer_healthcheck
andIntelOwl.connector_healthcheck
methods.CLI:
$ pyintelowl analyzer-healthcheck <analyzer_name>
and$ pyintelowl connector-healthcheck <connector_name>
API:
GET /api/analyzer/{analyzer_name}/healthcheck
andGET /api /connector/{connector_name}/healthcheck
Visualizers
With IntelOwl v5 we introduced a new plugin type called Visualizers. You can leverage it as a framework to create custom aggregated and simplified visualization of analyzer results.
Visualizers are designed to run after the analyzers and the connectors. The visualizer adds logic after the computations, allowing to show the final result in a different way than merely the list of reports.
Each visualizer must define a set of analyzers and connectors as requirement:
in fact the visualizers can not be chosen at the time of Job creation (once you click into the Scan
button) but every single visualizer that it is configured and that has its requirements satisfied will be automatically selected and executed.
This framework is extremely powerful and allows every user to customize the GUI as they wish. But you know…with great power comes great responsability. To fully leverage this framework, you would need to put some effort in place. You would need to understand which data is useful for you and then write few code lines that would create your own GUI. To simplify the process, take example from the pre-built analyzers listed below and follow the dedicated documentation.
List of pre-built Visualizers
DNS
: displays the aggregation of every DNS analyzer reportYara
: displays the aggregation of every matched rule by theYara
AnalyzerDomain_Reputation
: Visualizer for the Playbook “Popular_URL_Reputation_Services”IP_Reputation
: Visualizer for the Playbook “Popular_IP_Reputation_Services”
Visualizers customization
You can either disable or create new visualizers based on already existing modules by changing the configuration values inside the Django Admin interface: /admin/visualizers_manager/visualizerreport/
.
The following are all the keys that you can change without touching the source code:
name
: same as analyzersdescription
: same as analyzerspython_module
: same as analyzersdisabled
: same as analyzersconfig
:queue
: same as analyzerssoft_time_limit
: same as analyzers
analyzers
: List of analyzers that must be executedconnectors
: List of connectors that must be executed
Playbooks
Playbooks are designed to be easy to share sequence of running Analyzers/Connectors on a particular kind of observable.
If you want to avoid to re-select/re-configure a particular combination of analyzers and connectors together every time, you should create a playbook out of it and use it instead. This is time saver.
This is a feature introduced since IntelOwl v4.1.0! Please provide feedback about it!
Playbooks List
The following is the list of the available pre-built playbooks. You can also navigate the same list via the
Graphical Interface: once your application is up and running, go to the “Plugins” section
pyintelowl:
$ pyintelowl get-playbook-config
List of pre-built playbooks
FREE_TO_USE_ANALYZERS
: A playbook containing all free to use analyzers.Sample_Static_Analysis
: A playbook containing all analyzers that perform static analysis on files.Popular_URL_Reputation_Services
: Collection of the most popular and free reputation analyzers for URLs and DomainsPopular_IP_Reputation_Services
: Collection of the most popular and free reputation analyzers for IP addresses
Playbooks customization
You can create new playbooks via the Django Admin interface at /admin/playbooks_manager/playbookconfig/
The following are all the keys that you can leverage/change without touching the source code:
analyzers
: list of analyzers to executeconnectors
: list of connectors to executedisabled
: similar to analyzersdescription
: similar to analyzerstype
: list of observable types or files supportedruntime_configuration
: runtime configuration for each type of plugin
Another chance to create a new playbook is to leverage the “Save as Playbook” button that you can find on the top right of the Job Result Page. In this way, after you have done an analysis, you can save the configuration of analyzers/connectors for re-use with a single click.
Those are the only ways to do that for now. We are planning to provide more easier ways to add new playbooks in the future.
To contribute to the project, see Contribute.
TLP Support
The Traffic Light Protocol (TLP) is a standard that was created to facilitate greater sharing of potentially sensitive information and more effective collaboration.
IntelOwl is not a threat intel sharing platform, like the MISP platform. However, IntelOwl is able to share analysis results to external platforms (via Connectors) and to send possible privacy related information to external services (via Analyzers).
This is why IntelOwl does support a customized version of the Traffic Light Protocol (TLP): to allow the user to have a better knowledge of how their data are being shared.
Every Analyzer and Connector can be configured with a maximum_tlp
value.
Based on that value, IntelOwl understands if the specific plugin is allowed or not to run (e.g. if maximum_tlp
is GREEN
, it would run for analysis with TLPs WHITE
and GREEN
only)
These is how every available TLP value behaves once selected for an analysis execution:
CLEAR
: no restriction (WHITE
was replaced byCLEAR
in TLP v2.0, butWHITE
is supported for retrocompatibility)GREEN
: disable analyzers that could impact privacyAMBER
: disable analyzers that could impact privacy and limit view permissions to my groupRED
(default): disable analyzers that could impact privacy, limit view permissions to my group and do not use any external service