Advanced Usage
This page includes details about some advanced features that Intel Owl provides which can be optionally enabled. Namely,
Optional Analyzers
Some analyzers which run in their own Docker containers are kept disabled by default. They are disabled by default to prevent accidentally starting too many containers and making your computer unresponsive.
Name | Analyzers | Description |
---|---|---|
Malware Tools Analyzers |
|
|
TOR Analyzers | Onionscan |
Scans TOR .onion domains for privacy leaks and information disclosures. |
CyberChef | CyberChef |
Run a transformation on a CyberChef server using pre-defined or custom recipes(rules that describe how the input has to be transformed). Check further instructions here |
PCAP Analyzers | Suricata |
You can upload a PCAP to have it analyzed by Suricata with the open Ruleset. The result will provide a list of the triggered signatures plus a more detailed report with all the raw data generated by Suricata. You can also add your own rules (See paragraph "Analyzers with special configuration"). The installation is optimized for scaling so the execution time is really fast. |
To enable all the optional analyzers you can add the option --all_analyzers
when starting the project. Example:
python3 start.py prod --all_analyzers up
Otherwise you can enable just one of the cited integration by using the related option. Example:
python3 start.py prod --tor_analyzers up
Customize analyzer execution
Some analyzers provide the chance to customize the performed analysis based on parameters that are different for each analyzer.
from the GUI
You can click on “Runtime Configuration” button in the “Scan” page and add the runtime configuration in the form of a dictionary. Example:
"VirusTotal_v3_File": {
"force_active_scan_if_old": true
}
from Pyintelowl
While using send_observable_analysis_request
or send_file_analysis_request
endpoints, you can pass the parameter runtime_configuration
with the optional values.
Example:
runtime_configuration = {
"Doc_Info": {
"additional_passwords_to_check": ["passwd", "2020"]
}
}
pyintelowl_client.send_file_analysis_request(..., runtime_configuration=runtime_configuration)
CyberChef
You can either use pre-defined recipes or create your own as explained here.
To use a pre-defined recipe, set the predefined_recipe_name
argument to the name of the recipe as
defined here. Else, leave the predefined_recipe_name
argument empty and set
the custom_recipe
argument to the contents of
the recipe you want to
use.
Additionally, you can also (optionally) set the output_type
argument.
Pre-defined recipes
“to decimal”:
[{"op": "To Decimal", "args": ["Space", False]}]
Analyzers with special configuration
Some analyzers could require a special configuration:
GoogleWebRisk
: this analyzer needs a service account key with the Google Cloud credentials to work properly. You should follow the official guide for creating the key. Then you can populate the secretservice_account_json
for that analyzer with the JSON of the service account file.ClamAV
: this Docker-based analyzer usesclamd
daemon as its scanner and is communicating withclamdscan
utility to scan files. The daemon requires 2 different configuration files:clamd.conf
(daemon’s config) andfreshclam.conf
(virus database updater’s config). These files are mounted as docker volumes in/integrations/malware_tools_analyzers/clamav
and hence, can be edited by the user as per needs, without restarting the application. Moreover ClamAV is integrated with unofficial open source signatures extracted with Fangfrisch. The configuration filefangfrisch.conf
is mounted in the same directory and can be customized on your wish. For instance, you should change it if you want to integrate open source signatures from SecuriteInfoSuricata
: you can customize the behavior of Suricata:/integrations/pcap_analyzers/config/suricata/rules
: here there are Suricata rules. You can change thecustom.rules
files to add your own rules at any time. Once you made this change, you need to either restart IntelOwl or (this is faster) run a new analysis with the Suricata analyzer and set the parameterreload_rules
totrue
./integrations/pcap_analyzers/config/suricata/etc
: here there are Suricata configuration files. Change it based on your wish. Restart IntelOwl to see the changes applied.
Yara
:You can customize both the
repositories
parameter andprivate_repositories
secret to download and use different rules from the default that IntelOwl currently support.The
repositories
values is what will be used to actually run the analysis: if you have added private repositories, remember to add the url inrepositories
too!
You can add local rules inside the directory at
/opt/deploy/files_required/yara/YOUR_USERNAME/custom_rules/
. Please remember that these rules are not synced in a cluster deploy: for this reason is advised to upload them on GitHub and use therepositories
orprivate_repositories
attributes.
Organizations and data sharing
Organizations are a great way to share data and analysis only with the members of your team. Invite the people you work with in your organization!
Thanks to the “Organization” feature, you can restrict the people who can see the analysis that you made.
By default, analysis (jobs) are executed with a level of TLP that is AMBER
. This means that these jobs are shared with the other members of your community only.
If you want to share a job with everyone and make it public (every IntelOwl user can see them), you should set the TLP as CLEAR
.
How you can do that? You can select the TLP for the analysis at the time of request.
Notifications
Since v4, IntelOwl integrated the notification system from the certego_saas
package, allowing the admins to create notification that every user will be able to see.
The user would find the Notifications button on the top right of the page:

There the user can read notifications provided by either the administrators or the IntelOwl Maintainers.
As an Admin, if you want to add a notification to have it sent to all the users, you have to login to the Django Admin interface, go to the “Notifications” section and add it there.
While adding a new notification, in the body
section it is possible to even use HTML syntax, allowing to embed images, links, etc;
in the app_name field
, please remember to use intelowl
as the app name.
Everytime a new release is installed, once the backend goes up it will automatically create a new notification, having as content the latest changes described in the CHANGELOG.md, allowing the users to keep track of the changes inside intelowl itself.