IntelOwl: Open-source threat intelligence management

IntelOwl is an open-source solution designed for large-scale threat intelligence management. It integrates numerous online analyzers and advanced malware analysis tools, providing comprehensive insights in one platform.

“In late 2019, I faced a significant challenge while working as a cybersecurity analyst in a Security Operations Center (SOC). Our team was severely understaffed yet inundated with security alerts and incidents. The workload was overwhelming, leading to burnout. Recognizing the need for a solution, we searched for a tool to automate our most common workflows, particularly in threat intelligence data extraction and analysis. However, no existing open-source tool met all our requirements, so we decided to create one from scratch,” Matteo Lodi, the creator and maintainer of IntelOwl, told Help Net Security.

“We knew our struggles were not unique; many in the cybersecurity community faced the same challenges. Automating repetitive tasks was, and still is, a critical need in the field. In our first year, the tool garnered significant attention, enabling it to evolve and grow over the subsequent years. Today, IntelOwl allows cybersecurity analysts to focus on what truly matters: understanding threats and resolving incidents, rather than being bogged down by routine tasks,” Lodi added.

IntelOwl features

“IntelOwl is a threat intelligence platform built to scale out and speed up the retrieval of threat information. It’s a complete web application intended to be integrated with other security tools or used as a standalone project. It has a cool GUI, full-fledged REST APIs, and official client libraries,” Lodi explains.

For data collection, it integrates several online analyzers and many cutting-edge malware analysis tools. It has been built as a framework, so it is highly customizable in every part: you can add your own plugins based on your use cases, private services, custom tools, and so on.

“You can analyze every type of digital artifacts that you find during your investigations like network artifacts, suspicious files, and correlate them together while pivoting from one to another to construct a flow of analysis and find the information that you need. Works magnificently when integrated in a SOC or as an investigation tool for threat intelligence analysts, threat hunters or forensic analysts,” Lodi added.

Available services or analyzers

Inbuilt modules:

• Static Office Document, RTF, PDF, PE File Analysis and metadata extraction
• Strings Deobfuscation and analysis (FLOSS, Stringsifter, …)
• PE Emulation with Qiling and Speakeasy
• PE Signature verification
• PE Capabilities Extraction (CAPA)
• Javascript Emulation (Box-js)
• Android Malware Analysis (Quark-Engine, …)
• SPF and DMARC Validator
• Yara (public rules are available, you can also add your own)

External services:

• Abuse.ch MalwareBazaar/URLhaus/Threatfox/YARAify
• GreyNoise v2
• Intezer
• VirusTotal v3
• Crowdsec
• URLscan
• Shodan
• AlienVault OTX
• Intelligence_X
• MISP

Future plans and download

“We are committed to increase the support for the Investigation Framework, which can help threat intelligence analysts to better keep track of their analysis and to work more collaboratively. We also want to add a more granular way to search through the extracted data: that would help threat hunters to get the needle from the haystack. And, why not, an AI-based Chatbot to help the analysts to get the information they need? We are exploring this idea for the next Google Summer of Code,” Lodi concluded.

IntelOwl is available for free on GitHub.

Must read:

• 20 free cybersecurity tools you might have missed
• 15 open-source cybersecurity tools you’ll wish you’d known earlier
• 20 essential open-source cybersecurity tools that save you time

I have read and agree to the terms & conditions

Leave this field empty if you're human: