Integrate IntelOwl as a new TI provider for enrichment

[mlodic]

Is your feature request related to a problem? Please describe. I noticed that there are not many TI providers supported by default (full list here). How can increase them in an easy way?

Describe the solution you'd like To avoid to write integrations with several different TI providers, one idea could be to just add IntelOwl as a new TI provider and then IntelOwl will do the work for you. It integrates a lot of different TI providers so you could just perform the enrichment with your IntelOwl instance and that's all. In this way, people could get the benefit of both tools in a single place and msticpy users have a new option for threat intelligence enrichment.

Thoughts?

[ianhelle]

Interesting idea - IntelOwl certainly looks very cool indeed. Congrats on putting something so comprehensive together.

Are you thinking a TI provider using the pyintelowl SDK ? like a wrapper around send_observable_analysis_request? Or maybe just replicate the API request structure (which looks pretty straightforward)? I wasn't able to tell if the API was synchronous or you submit a job and retrieve the results. We've tried to steer away from things that require users to install and run local services, etc. since it's difficult to predict what kind of environment they would be running in. So I'm thinking that integrating would be more along the lines of "If you have an IntelOwl instance available, here's how you query it from msticpy". Is that what you were thinking?

The file and other analyzer APIs look pretty cool as well - we could also expose some of these in msticpy as Pivot functions.

Happy to collaborate on something.

[mlodic]

Hello, thank you for your answer :)

Yep, we have our official SDK pyintelowl that could be leveraged for this goal and I think it would be the easier way for msticpy to interact with IntelOwl. send_observable_analysis_request would create a new analysis of a specific file or observable in IntelOwl. Then it is required to poll for the results by Job ID with the get_job_by_id function.

If you have an IntelOwl instance available, here's how you query it from msticpy". Is that what you were thinking?

I guess so. I think that CTI analysts that love either one of these 2 tools (IntelOwl or msticpy) would probably love the other one too so I think that this would be the best way to have the 2 type of users connect to one another and give them the chance to leverage the 2 tools together.

I don't know how much effort is to add such kind of integration here in msticpy: is it something feasible in a short time? Something that you need our help or that maybe the maintainers can just do pretty straightforwardly? We can surely help you in understanding how the IntelOwl SDK and API works and, obviously, we would advertise and add such kind of integration into our documentation to have our users to try it.

[ianhelle]

I don't know how much effort is to add such kind of integration here in msticpy: is it something feasible in a short time? I think it would be pretty straightforward - esp since you have a single API that handles all IoC types.

I'm a bit torn between using the API directly and using the SDK (which looks nice) since we already have a ton of dependencies that I'm not anxious to increase (we're actively trying to reduce them or move them to a plugin model). Another integration point might be our Pivot functions (for the broader IntelOwl functionality) - not sure how applicable this is but for MP functionality, we've tried to group functions into entity-specific sets and add them (dynamically) to entity classes. It feels like a few IntelOwl functions might fit into this paradigm but most are a different paradigm - e.g. where you have a file content and want to do some analysis on that.