[](https://github.com/intelowlproject/IntelOwl/releases) [](https://github.com/intelowlproject/IntelOwl/stargazers) [](https://hub.docker.com/repository/docker/intelowlproject/intelowl) [](https://twitter.com/intel_owl) [](https://www.linkedin.com/company/intelowl/) [](https://intelowlproject.github.io) [](https://intelowl.honeynet.org) [](https://github.com/astral-sh/ruff) [](https://github.com/intelowlproject/IntelOwl/actions/workflows/codeql-analysis.yml) [](https://github.com/intelowlproject/IntelOwl/actions/workflows/dependency_review.yml) [](https://github.com/intelowlproject/IntelOwl/actions) [](https://app.deepsource.com/gh/intelowlproject/IntelOwl/?ref=repository-badge) [](https://api.securityscorecards.dev/projects/github.com/intelowlproject/IntelOwl) [](https://bestpractices.coreinfrastructure.org/projects/7120) # Intel Owl Do you want to get **threat intelligence data** about a malware, an IP address or a domain? Do you want to get this kind of data from multiple sources at the same time using **a single API request**? You are in the right place! IntelOwl is an Open Source solution for management of Threat Intelligence at scale. It integrates a number of analyzers available online and a lot of cutting-edge malware analysis tools. ### Features This application is built to **scale out** and to **speed up the retrieval of threat info**. It provides: - **Enrichment of Threat Intel** for files as well as observables (IP, Domain, URL, hash, etc). - A Fully-fledged REST APIs written in Django and Python. - An easy way to be integrated in your stack of security tools to automate common jobs usually performed, for instance, by SOC analysts manually. (Thanks to the official libraries [pyintelowl](https://github.com/intelowlproject/pyintelowl) and [go-intelowl](https://github.com/intelowlproject/go-intelowl)) - A **built-in GUI**: provides features such as dashboard, visualizations of analysis data, easy to use forms for requesting new analysis, etc. - A **framework** composed of modular components called **Plugins**: - *analyzers* that can be run to either retrieve data from external sources (like VirusTotal or AbuseIPDB) or to generate intel from internally available tools (like Yara or Oletools) - *connectors* that can be run to export data to external platforms (like MISP or OpenCTI) - *pivots* that are designed to trigger the execution of a chain of analysis and connect them to each other - *visualizers* that are designed to create custom visualizations of analyzers results in the GUI - *ingestors* that allow to automatically ingest stream of observables or files to IntelOwl itself - *playbooks* that are meant to make analysis easily repeatable - *data models* to map the different data extracted from analyzers to a single common schema - *artifacts* that are representations of observables or files that can be analyzed multiple times for different evaluations - *user events* that allow users to add custom evaluation or additional info to any artifact - A starting point for analysts' **Investigations**: users can register their findings, correlate the information found, and collaborate...all in a single place ### Documentation We try hard to keep our documentation well written, easy to understand and always updated. All info about installation, usage, configuration and contribution can be found [here](https://intelowlproject.github.io/docs/) ### Publications and Media To know more about the project and its growth over time, you may be interested in reading [the official blog posts and/or videos about the project by clicking on this link](https://intelowlproject.github.io/docs/IntelOwl/introduction/#publications-and-media) ### Available services or analyzers You can see the full list of all available analyzers in the [documentation](https://intelowlproject.github.io/docs/IntelOwl/usage/#analyzers). | Type | Analyzers Available | | -------------------------------------------------- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Inbuilt modules | - Static Office Document, RTF, PDF, PE, ELF, APK File Analysis and metadata extraction
- Strings Deobfuscation and analysis ([FLOSS](https://github.com/mandiant/flare-floss), [Stringsifter](https://github.com/mandiant/stringsifter), ...)
- [Yara](https://virustotal.github.io/yara/), [ClamAV](https://www.clamav.net/) (a lot of public rules are available. You can also add your own rules)
- PE Emulation with [Qiling](https://github.com/qilingframework/qiling) and [Speakeasy](https://github.com/mandiant/speakeasy)
- PE Signature verification
- PE Capabilities Extraction ([CAPA](https://github.com/mandiant/capa) and [Blint](https://github.com/owasp-dep-scan/blint))
- Javascript Emulation ([Box-js](https://github.com/CapacitorSet/box-js))
- Android Malware Analysis ([Quark-Engine](https://github.com/quark-engine/quark-engine), [Androguard](https://github.com/androguard/androguard), [Mobsf](https://github.com/MobSF/mobsfscan/), ...)
- SPF and DMARC Validator
- PCAP Analysis with [Suricata](https://github.com/OISF/suricata) and [Hfinger](https://github.com/CERT-Polska/hfinger)
- Honeyclients ([Thug](https://github.com/buffer/thug), [Selenium](https://github.com/wkeeling/selenium-wire))
- Scanners ([WAD](https://github.com/CERN-CERT/WAD), [Nuclei](https://github.com/projectdiscovery/nuclei), ...)
- more... | | External services | - Abuse.ch MalwareBazaar/URLhaus/Threatfox/YARAify
- GreyNoise v2
- Intezer
- VirusTotal v3
- Crowdsec
- URLscan
- Shodan
- AlienVault OTX
- Intelligence_X
- MISP
- many more.. | ## Partnerships and sponsors As open source project maintainers, we strongly rely on external support to get the resources and time to work on keeping the project alive, with a constant release of new features, bug fixes and general improvements. Because of this, we joined [Open Collective](https://opencollective.com/intelowl-project) to obtain US and EU non-profit equal level status which allows the organization to receive and manage donations transparently and with tax exemption. Please support IntelOwl and all the community. #### Certego [Certego](https://certego.net/?utm_source=intelowl) is a MDR (Managed Detection and Response) and Threat Intelligence Provider based in Italy. IntelOwl was born out of Certego's Threat intelligence R&D division and is mostly maintained and updated thanks to them. #### The Honeynet Project [The Honeynet Project](https://www.honeynet.org) is a non-profit organization working on creating open source cyber security tools and sharing knowledge about cyber threats. Thanks to Honeynet, we are hosting a public demo of the application [here](https://intelowl.honeynet.org). If you are interested, please contact a member of Honeynet or an IntelOwl maintainer to get access to the public service. #### Google Summer of Code Since its birth this project has been participating in the [Google Summer of Code](https://summerofcode.withgoogle.com/) (GSoC)! If you are interested in participating in the next Google Summer of Code, check all the info available in the [dedicated repository](https://github.com/intelowlproject/gsoc)! #### Docker In 2021 IntelOwl joined the official [Docker Open Source Program](https://www.docker.com/blog/expanded-support-for-open-source-software-projects/). This allows IntelOwl developers to easily manage Docker images and focus on writing the code. You may find the official IntelOwl Docker images [here](https://hub.docker.com/search?q=intelowlproject). #### DigitalOcean [](https://www.digitalocean.com/?refcode=128f2c68f93b&utm_campaign=Referral_Invite&utm_medium=Referral_Program&utm_source=badge) In 2022 IntelOwl joined the official [DigitalOcean Open Source Program](https://www.digitalocean.com/open-source?utm_medium=opensource&utm_source=IntelOwl). ## About the author and maintainers Feel free to contact the main developers at any time on Twitter: - [Matteo Lodi](https://twitter.com/matte_lodi): Author and Principal Maintainer - [Daniele Rosetti](https://github.com/drosetti): Frontend Maintainer - [Federico Gibertoni](https://x.com/fgibertoni1): Maintainer and Community Assistant - [Simone Berni](https://twitter.com/0ssig3no): Key Contributor - [Eshaan Bansal](https://twitter.com/eshaan7_): Key Contributor