Submit an observable for security analysis using a specific playbook.
External DocumentationTo learn more, visit the Intel Owl documentation.

Basic Parameters

ParameterDescription
ObservablesAn array of observables. Each Observable should be formatted as an array containing the observable classification (url, domain, hash, ip, generic) and its name.

For Example:
[
  [“url”, “http://google.com/”],
  [“domain”, “example.com”],
  [“ip”, “8.8.8.8”],
  [“hash”, “d41d8cd98f00b204e9800998ecf8427e”]
]
PlaybookThe name of the playbook to execute for the analysis.
TLPTraffic Light Protocol classification level to control information sharing.
Tags LabelsA comma-separated list of tag labels to assign to the analysis.

Advanced Parameters

ParameterDescription
Analyzers Runtime ConfigurationA configuration object to override default analyzers configuration.

For example:
{
    “Doc_Info”: {
      “additional_passwords_to_check”: [“passwd”, “2020”]
    }
}
For more information about the Runtime Configuration, refer to Intel Owl API documentation.

Example Output

{
	"results": [
		{
			"job_id": 69,
			"analyzers_running": [
				"AdGuard",
				"Classic_DNS",
				"CloudFlare_DNS",
				"CloudFlare_Malicious_Detector",
				"DNS0_EU",
				"DNS0_EU_Malicious_Detector",
				"DNStwist",
				"Google_DNS",
				"Phishstats",
				"Quad9_DNS",
				"Quad9_Malicious_Detector",
				"Robtex",
				"Thug_URL_Info",
				"Tranco",
				"TweetFeed",
				"UltraDNS_DNS",
				"UltraDNS_Malicious_Detector"
			],
			"connectors_running": [],
			"visualizers_running": [
				"Data_Model"
			],
			"playbook_running": "FREE_TO_USE_ANALYZERS",
			"investigation": 4,
			"status": "accepted",
			"already_exists": false
		},
		{
			"job_id": 70,
			"analyzers_running": [
				"AdGuard",
				"CheckDMARC",
				"Classic_DNS",
				"CloudFlare_DNS",
				"CloudFlare_Malicious_Detector",
				"Crt_sh",
				"DNS0_EU",
				"DNS0_EU_Malicious_Detector",
				"DNStwist",
				"Google_DNS",
				"Mnemonic_PassiveDNS",
				"Onionscan",
				"Phishstats",
				"Quad9_DNS",
				"Quad9_Malicious_Detector",
				"Robtex",
				"Thug_URL_Info",
				"Tranco",
				"TweetFeed",
				"UltraDNS_DNS",
				"UltraDNS_Malicious_Detector"
			],
			"connectors_running": [],
			"visualizers_running": [
				"Data_Model"
			],
			"playbook_running": "FREE_TO_USE_ANALYZERS",
			"investigation": 4,
			"status": "accepted",
			"already_exists": false
		},
		{
			"job_id": 71,
			"analyzers_running": [
				"BGP_Ranking",
				"Classic_DNS",
				"FireHol_IPList",
				"IPApi",
				"IPQuery",
				"Mmdb_server",
				"Mnemonic_PassiveDNS",
				"Phishstats",
				"Robtex",
				"Stratosphere_Blacklist",
				"TalosReputation",
				"TorProject",
				"Tor_Nodes_DanMeUk",
				"TweetFeed",
				"WhoIs_RipeDB_Search"
			],
			"connectors_running": [],
			"visualizers_running": [
				"Data_Model"
			],
			"playbook_running": "FREE_TO_USE_ANALYZERS",
			"investigation": 4,
			"status": "accepted",
			"already_exists": false
		},
		{
			"job_id": 72,
			"analyzers_running": [
				"Cymru_Hash_Registry_Get_Observable",
				"HashLookupServer_Get_Observable",
				"OrklSearch",
				"TweetFeed"
			],
			"connectors_running": [],
			"visualizers_running": [
				"Data_Model"
			],
			"playbook_running": "FREE_TO_USE_ANALYZERS",
			"investigation": 4,
			"status": "accepted",
			"already_exists": false
		}
	],
	"count": 4
}

Workflow Library Example

Send Observable Analysis Playbook Request with Intel Owl and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop