Do you want to get threat intelligence data about a malware, an IP or a domain? Do you want to get this kind of data from multiple sources at the same time using a single API request?
You are in the right place!
Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools. It is for everyone who needs a single point to query for info about a specific file or observable.
- Provides enrichment of Threat Intel for malware as well as observables (IP, Domain, URL, hash, etc).
- This application is built to scale out and to speed up the retrieval of threat info.
- It can be integrated easily in your stack of security tools (pyintelowl) to automate common jobs usually performed, for instance, by SOC analysts manually.
- Intel Owl is composed of:
- analyzers that can be run to retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internally available tools (like Yara or Oletools)
- connectors that can be run to export data to external platforms
- API REST written in Django and Python 3.9.
- Built-in frontend client written in ReactJS, with certego-ui: provides features such as dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, etc.
Documentation about IntelOwl installation, usage, configuration and contribution can be found at https://intelowl.readthedocs.io/.
To know more about the project and it's growth over time, you may be interested in reading the following:
- Honeynet: v3.0.0 Announcement
- Intel Owl on Daily Swig
- Honeynet: v1.0.0 Announcement
- Certego Blog: First announcement
Available services or analyzers
You can see the full list of all available analyzers in the documentation.
|Inbuilt modules||- Static Office Document, RTF, PDF, PE File Analysis and metadata extraction
- Strings Deobfuscation and analysis (FLOSS, Stringsifter, ...)
- PE Emulation with Qiling and Speakeasy
- PE Signature verification
- PE Capabilities Extraction (CAPA)
- Android Malware Analysis (Quark-Engine, ...)
- SPF and DMARC Validator
|External services||- Dragonfly malware sandbox
- Abuse.ch MalwareBazaar/Threatfox/YARAify
- GreyNoise v2
- VirusTotal v2+v3
- AlienVault OTX
- many more..
|Free modules that require additional configuration||- Cuckoo (requires at least one working Cuckoo instance)
- MISP (requires at least one working MISP instance)
- Yara (a lot of public rules area available. There's also the chance to add your own rules)
Partnerships and sponsors
We have an official sponsorship program for companies, organizations and individuals who support IntelOwl development. For more details on how to join the list below, read the page: Partnership and sponsors.
Certego is a MDR (Managed Detection and Response) and Threat Intelligence Provider based in Italy.
IntelOwl was born out of Certego's Threat intelligence R&D division and is constantly maintained and updated thanks to them.
Dragonfly, an automated sandbox to emulate and analyze malware, is a new public service by Certego developed by the same team behind IntelOwl. It is now available as the
Dragonfly_Emulationanalyzer in IntelOwl. Sign up on Dragonfly today for free access!
The Honeynet Project
The Honeynet Project is a non-profit organization working on creating open source cyber security tools and sharing knowledge about cyber threats.
Since its birth, thanks to this organization, this project has been participating in the Google Summer of Code (GSoC)!
Project Summaries and/or in-development projects:
- 2020: Eshaan Bansal: IntelOwl Work Product
- 2022: We have selected 3 contributors for this year! The projects' results are published in September 2022!
If you are interested in being the next GSoC developer for IntelOwl, join the Honeynet Slack chat for more info. This is also the place where the majority of the development discussion happens, so feel free to join, have a look and ask questions about the project.
(Plus we have just started a new project called GreedyBear that will be proposed to the GSoC too starting from 2022)
Milton Security is a Service Disabled Veteran Owned Small Business that provides effective Threat Hunting and Incident Response to organizations around the globe 24*7
LimaCharlie gives security teams full control over how they manage their security infrastructure. Get full visibility into your coverage, build what you want, control your data, get the security capabilities you need, for however long you need them, and pay only for what you use.
Read everything about this partnership in the LimaCharlie's blog.
Tines is no-code automation for security teams. Build powerful, reliable workflows without a development team.
IntelOwl is officially integrated in Tines. Read everything about this partnership in the Tines' blog.
In 2021 IntelOwl joined the official Docker Open Source Program. This allows IntelOwl developers to easily manage Docker images and focus on writing the code.
If you are an individual who likes this project and want to thank us with a little contribution, we would be happy to list you here in the README as a public acknowledgment.
About the author and maintainers
Feel free to contact the main developers at any time on twitter: