Intel Owl is a free and open source tool dedicated to threat intelligence (https://github.com/intelowlproject/IntelOwl). Intel Owl is dedicated to pool requests to made on different portals/APIs to centralize the results in a single portal you can retrieve via GUI or the API. Give observable to Intel Owl, and it will request all API/Portals you want to retrieve data.
As a regular user of Intel Owl, we wanted to integrate a StalkPhish analyzer to further enrich the results of our threat research during a forensic analysis.
Stalkphish.io as a threat intelligence feed
Indeed we found that the information delivered by StalkPhish.io can be useful in any threat analysis. Even if StalkPhish.io data focused on phishing and brand impersonation threat, we have found that the data collected by StalkPhish allows us to contextualize certain analyses a little more.
Several times we have seen the relevance of the data reported by StalkPhish in cases of data theft leading to an intrusion on a computer network. By analyzing and using the URLs of the accessed proxies, it is possible to trace the URLs that have been accessed and tagged by Stalkphish as being used as pages to steal credentials. This can be an important information during forensic analysis.
Also we have repeatedly found that the data enriched by StalkPhish.io on certain IP addresses is a most interesting resource to develop the view on the extent of a threat, the rogue URLs, and so on…
StalkPhish Intel Owl’s analyzer
In order to take advantage of the Stalkphish API, it is necessary to enter your Stalkphish’s API key in the Intel Owl configuration file:
(If you don’t have any Stalkphish API key, you can obtain it for free on https://www.stalkphish.io/)
Once done, and the application restarted, you will have a new analyzer appearing into the analyzers list.
We have built the Stalkphish analyzer to be used with the following observable:
- IP address
Depending on the search performed, the analyzer will connect to different endpoints of the Stalkphish’s REST API. Then you can can search for an IP address, a string appearing into a URL or a domain name.
Once done, you can retrieve data from the Intel Owl API or GUI:
Intel Owl is a great project to centralize several API/portals data retrieval during investigations. Give a try to the Stalkphish analyzer, this will give you additional data to contextualize your analysis.
The Intel Owl project documentation: https://intelowl.readthedocs.io/en/latest/
The Stalkphish.io website: https://stalkphish.io
Don’t hesitate to drop us an email to ask for more plugins: contact[-at-]stalkphish.com
Then you can post a comment for this post.