IntelOwl is an open source platform that aggregates and automates threat intelligence retrieval and analysis at scale through a unified API and modular plugins.
IntelOwl: manage your Threat Intelligence at scale
IntelOwl is designed for SOC analysts, threat hunters, and security automation engineers who need to quickly enrich and analyze threat intelligence data from multiple sources simultaneously. It streamlines the process of gathering intel on malware, IPs, domains, URLs, and hashes, enabling faster incident response and automated workflows.
IntelOwl requires configuration of API keys for some external analyzers (e.g., VirusTotal) to maximize functionality. It is recommended to use the official client libraries for automation and integration into existing SOC workflows. The modular plugin architecture allows customization but requires familiarity with Python and Django for advanced extensions.
Clone the repository from GitHub: git clone https://github.com/intelowlproject/IntelOwl.git
Navigate to the project directory
Install dependencies using pip or your preferred Python package manager
Configure the application settings as per your environment
Run the application server (typically via Django management commands)
Optionally, deploy using the official Docker image from Docker Hub
Access the built-in GUI via the provided web interface or live demopython manage.py runserver
Starts the IntelOwl Django web server for local testing and GUI access
curl -X POST https://intelowl.honeynet.org/api/v1/analysis -d '{"observable":"8.8.8.8"}'
Example API request to analyze an observable (IP address) using IntelOwl's REST API
docker pull intelowlproject/intelowl
Pulls the official IntelOwl Docker image for containerized deployment
pip install pyintelowl
Installs the official Python client library to interact with IntelOwl programmatically