IntelOwl
IntelOwl is an open-source threat intelligence platform designed to help security teams automatically analyse digital artefacts (files, IPs, domains, URLs, hashes etc) at scale.
It allows us to submit an observable (say an IP or a file hash) and then “enrich” it — i.e., gather data from many sources and tools in a single system.
The architecture uses modular plugins (analyzers, connectors, pivots) so we can plug in many external services and internal tools.
It’s built using technologies like Django (Python), React (frontend), PostgreSQL, Redis, Celery & Docker for scalability.
It’s licensed under the AGPL-3.0.
_________________________________________
Features
* We can feed in things like IP addresses, domains, URLs, file hashes, or even full files, and it will run many analyzers to fetch intelligence about them.
* Analysts can use built-in analyzers (for e.g., YARA scanning, static file analysis, malware sandboxing) plus external services (e.g., VirusTotal, AbuseIPDB) via analyzers.
* To share or export results to external systems like MISP, OpenCTI etc.
* We can define workflows for different artefact types so that analysis is repeatable and consistent.
* Useful if we manage many clients or teams within one deployment.
* It has a GUI for manual use, a REST API for automation, and SDKs (e.g., “pyintelowl”) to integrate into our stack.
* If we have a SOC (Security Operations Centre) or a threat-intelligence team that spends a lot of time manually gathering data about suspicious observables, IntelOwl can reduce manual work.
* In incident response situations when we have a suspicious file or domain and we want to rapidly collect as much context as possible.
* For threat-hunting we can feed many observables (or even automate ingestion) and use the results to build attack context, correlate indicators, etc.
* If we already use intelligence sharing platforms and we want an open-source tool to bridge between our internal tools and external feeds.
* Open source so no licensing cost and we can inspect and extend the code.
* Modular and extensible so we can add our own analyzers or customise workflows.
* Consolidates many sources so saves time compared to querying many systems manually.
* Works well for organisations that cannot afford expensive commercial TI (Threat Intelligence) platforms.
Project source code available on Github:
https://github.com/intelowlproject/IntelOwlEnjoy #linux 🐧
Well, that was exciting. See you in the next one!