Undderstanding Intelowl #756
-
|
Hello, I am trying to understand the system and ecosystem of intelowl where I am trying to find out why is it integrating with other platforms such as MISP, making and using analyzers, other features, and overall concept and logic. Thank you in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
IntelOwl is for aggregating maximum amount of threat intelligence data about a particular observable (IP, domain, hash, URL) or file. This data is collected from external sources or tools that are available as analyzers inside of IntelOwl. You can query an observable/file against 100s of these analyzers and all the data is returned to you in a unified manner. Automation and ease-of-use is key here so all this is possible in just 2 HTTP calls to IntelOwl's REST API. IntelOwl is composed of two sets of plugins - Analyzers and Connectors.
When requesting a job/analysis, you can choose precisely what analyzers or connectors should be executed or by default IntelOwl will only run the analyzers appropriate for the specific observable type or file type. IntelOwl tries to be most flexible, abstract and configurable as to enable different use-cases and capabilities for different users/organizations. So the best way to understand it is to try it out yourself. See the TL;DR installation to get IntelOwl up and running on your system in about 10 minutes. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! So basically IntelOwl is used for data collection that can be used by other platforms to correlate this gathered data and provide it with a threat risk score? |
Beta Was this translation helpful? Give feedback.
-
|
At this moment yes. IntelOwl main goal is fast and easy data collection. It does not perform correlation between the data retrieved from the analyzers. It must be done by the user or the integrated platform. This is because the information that you need could be different from the information that another analyst needs. You choose how to use the data. So, for automation purposes, it is convenient to export the retrieved information in a Threat Intel Platform like the MISP and perform post-processing logic based on your needs. |
Beta Was this translation helpful? Give feedback.
-
|
Alright can I integrate my own Threat Intelligence platform as a connector with intelOwl? |
Beta Was this translation helpful? Give feedback.
-
|
Yes. Refer to How to add a new connector section of the docs for the same. |
Beta Was this translation helpful? Give feedback.
IntelOwl is for aggregating maximum amount of threat intelligence data about a particular observable (IP, domain, hash, URL) or file. This data is collected from external sources or tools that are available as analyzers inside of IntelOwl. You can query an observable/file against 100s of these analyzers and all the data is returned to you in a unified manner. Automation and ease-of-use is key here so all this is possible in just 2 HTTP calls to IntelOwl's REST API.
IntelOwl is composed of two sets of plugins - Analyzers and Connectors.