IntelOwl
IntelOwl copied to clipboard
intelowlproject
Integration/connectors for other threat intel projects
Suggestions from this comment: https://www.reddit.com/r/blueteamsec/comments/i6j6ur/tool_intel_owl_free_and_open_source_threat/g10ucax/
-
- [ ] Add a section for possible resolved urls/hostnames in an IP lookup (reverse ip lookups, etc)
-
- [x] Is there a way to remove the max character limit when looking up a URL (128 chars)? The first spam url lookup I did hit it. (Added in #147)
-
- [x] Add a way to configure analyzers in the GUI. (#111)
-
- [ ] Add a splunk integration (or Graylog), not sure how you'd work this though as the lookup would vary quite a bit depending on the environment
-
- [ ] See if any SIEM or SOAR projects will work with you to add integration to their projects. (Related discussion on #176)
Issue 1) Reverse IP lookups should have worked with the ActiveDNS_Classic analyzer but I just noticed that it is bugged. We will push the fix in the next release. Also, the other 2 analyzers that performs DNS requests via HTTPS (ActiveDNS_CloudFlare and ActiveDNS_Google) do not support reverse lookups at the moment but, in the future, they will. I will update this issue as soon as we make changes.
Moreover you could possibly be interested in passive DNS records. Those kind of data can be extracted from other (already available) different analyzers that integrate external services like VirusTotal, OTX AlienVault, SecurityTrails, DNSDB, etc
Issue 2) resolved by @Eshaan7 in v1.3.0
Issue 3) This is a good idea but would require some work. In my opinion, at the moment, it is pretty simple and fast to configure the analyzers, even without the GUI. Therefore I think we could plan this for later.
Issue 4) We are interested to learn more about that and your use cases. We are not splunk or graylog experts so, a help in this would be really appreciated. If you prefer a more direct conversation you can DM me on Twitter at any time
Issue 5) IMHO, our main focus should be to integrate our project with other full OS projects before performing integration with vendors. In this way, the community would benefit more from our work. Therefore I think that we can plan this for later or we can ask them for help for the previous issue if we do not resolve issue n.4 by our own
Hey, @pynixadm. Regarding 3rd point, You can checkout the latest v1.5.0 release. We have added a way to change analyzers configuration when requesting scan.
I can help with number 4, I know Graylog inside and out in regards to setting it up and bringing in data. It wouldn't be that different than what you did for Elastic, except Graylog accepts a long list of input types, including raw JSON. Think of it like outputting to an external syslog.
thanks for your proposal @un-fuf-a-doo. As mentioned, we do not know well those technologies so we would need a thorough external help to complete that feature. Also, we would like to understand the use cases of such integration so we can analyze the benefits that it would provide to IntelOwl.
Are you interested in contributing with code/configuration?
I can definitely help with the configuration. I am not a great coder, but could definitely help you understand Graylog better. The use cases would be similar to Elastic in that it provides a platform for collecting raw logs for additional telemetry.
A Graylog cluster is simple:
- Graylog server - Log processor
- Graylog web UI - Graylog web user interface
- MongoDB - store configuration
- ElasticSearch - store messages
All of this is just bundled together to make a single application. The inner workings are just some enhanced tooling for working with the log data. I could spin up a VM with Graylog on it for you to look at and give you a feel for how it looks. Let me know.
I honestly think that the Graylog integration could probably re-use some of the code used from the Elasticsearch integration since Graylog is running Elastic underneath. Once something is ready to test I can build out an extractor in Graylog for parsing the incoming Intel Owl logs.
Jeff