intelowlproject/intelowl

★ 4,569PythonAudience · ops devopsComplexity · 4/5Setup · hard

Mindmap

mindmap
  root((IntelOwl))
    Analyzers
      External services
      Local tools
      Yara rules
    Plugin Types
      Connectors
      Playbooks
      Pivots
    Input Types
      Files
      IP addresses
      Domains and URLs
    Interfaces
      Web UI
      REST API
      Python client

mindmap root((IntelOwl)) Analyzers External services Local tools Yara rules Plugin Types Connectors Playbooks Pivots Input Types Files IP addresses Domains and URLs Interfaces Web UI REST API Python client

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Submit a suspicious file hash to IntelOwl and get results from VirusTotal, AbuseIPDB, and dozens of other services in a single request.

USE CASE 2

Create a playbook that automatically runs your standard analyzer set on every new indicator of compromise your team encounters.

USE CASE 3

Set up an ingestor to feed a continuous stream of suspicious URLs into IntelOwl for automated background analysis.

USE CASE 4

Trigger IntelOwl analyses from your SIEM or incident response tool via its REST API or Python client library.

Tech stack

PythonDockerGoREST API

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Docker and API keys for external intelligence services like VirusTotal and AbuseIPDB.

In plain English

IntelOwl is an open-source platform that helps security teams look up threat information about potentially malicious files, IP addresses, domains, URLs, and file hashes. Instead of checking each security service one at a time, IntelOwl lets you send a single request and have it query dozens of external sources simultaneously, then collect all the results in one place. The system is built around a plugin architecture. Analyzers are the core components: some query external services like VirusTotal or AbuseIPDB, while others run local analysis tools like Yara or Oletools on uploaded files. Connectors push findings out to other platforms like MISP or OpenCTI. Playbooks group multiple analyzers together so a common investigation workflow can be repeated with one click. Pivots let one analysis trigger follow-up analyses automatically, and ingestors allow streams of files or indicators to be fed into the system continuously. It comes with a built-in web interface for browsing results, requesting new analyses, and visualizing data. For teams who want to automate things, there are official Python and Go client libraries, plus a REST API that lets IntelOwl slot into existing security tooling or be triggered by other systems. The project includes an Investigations feature where analysts can register findings, correlate information across multiple analyses, and collaborate with teammates, all within a single interface rather than across separate documents or tickets. The project is maintained under the Honeynet Project umbrella and has a live demo instance available. A full documentation site covers installation, configuration, and how to add new plugins or playbooks. It is aimed primarily at SOC analysts, incident responders, and security engineers who regularly need to check indicators of compromise across many different intelligence databases.

Copy-paste prompts

Prompt 1

Using IntelOwl's Python client library, write code to submit an IP address for analysis and print the combined results.

Prompt 2

Help me create an IntelOwl playbook that automatically runs VirusTotal and Yara checks on every uploaded file.

Prompt 3

Write a script that calls IntelOwl's REST API to check a list of domains and export all results to a CSV file.

Prompt 4

How do I configure an IntelOwl connector to push analysis findings to a MISP threat intelligence platform?

Open on GitHub → Explain another repo

← intelowlproject on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.