gitmyhub

IntelOwl

Python ★ 4.6k updated 4d ago

IntelOwl: manage your Threat Intelligence at scale

An open-source security platform that lets you submit a suspicious file, IP, domain, or URL and automatically query dozens of threat intelligence services at once, collecting all results in one place.

PythonDockerGoREST APIsetup: hardcomplexity 4/5

IntelOwl is an open-source platform that helps security teams look up threat information about potentially malicious files, IP addresses, domains, URLs, and file hashes. Instead of checking each security service one at a time, IntelOwl lets you send a single request and have it query dozens of external sources simultaneously, then collect all the results in one place.

The system is built around a plugin architecture. Analyzers are the core components: some query external services like VirusTotal or AbuseIPDB, while others run local analysis tools like Yara or Oletools on uploaded files. Connectors push findings out to other platforms like MISP or OpenCTI. Playbooks group multiple analyzers together so a common investigation workflow can be repeated with one click. Pivots let one analysis trigger follow-up analyses automatically, and ingestors allow streams of files or indicators to be fed into the system continuously.

It comes with a built-in web interface for browsing results, requesting new analyses, and visualizing data. For teams who want to automate things, there are official Python and Go client libraries, plus a REST API that lets IntelOwl slot into existing security tooling or be triggered by other systems.

The project includes an Investigations feature where analysts can register findings, correlate information across multiple analyses, and collaborate with teammates, all within a single interface rather than across separate documents or tickets.

The project is maintained under the Honeynet Project umbrella and has a live demo instance available. A full documentation site covers installation, configuration, and how to add new plugins or playbooks. It is aimed primarily at SOC analysts, incident responders, and security engineers who regularly need to check indicators of compromise across many different intelligence databases.

Where it fits