Cortex vs. IntelOwl

Ahmed Musaad
Ahmed Musaad
Cortex vs. IntelOwl
Table of Contents
Table of Contents

Both Cortex and IntelOwl are awesome tools for observable analysis, I wanted to learn a bit about both of them and what better way to do that than trying both tools and writing a comparison of them?

I rarely get the chance to compare two different awesome tools and write detailed posts about them, but I am off work now, and I have few free hours to spare so here is an unbiased, somewhat detailed comparison of Cortex and IntelOwl.

Disclaimer: Both platforms are amazing, both are open source, and both have outstanding teams behind them, this post is merely to outline the features of both tools and give you a better idea on what to expect when picking one or the other.

Introduction

Both Cortex and IntelOwl are Observable Analysis tools which are tools used by security professionals (specially incident handlers) to obtain information about a suspicious observable (e.g. domain details, IP health information, file type, static analysis of a file, ...).

Cortex

Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several?

Cortex, an open source and free software, has been created by TheHive Project for this very purpose. Observables, such as IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. Analysts can also automate these operations thanks to the Cortex REST API. (source)

IntelOwl

Intel Owl is an Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. It integrates a number of analyzers available online and is for everyone who needs a single point to query for info about a specific file or observable. (source)

Comparison

Ease of Installation

Starting with a clean VPS, it took me seven minutes to install an instance of IntelOwl, granted a not-so-ready instance but an instance nonetheless. The instance had most of the analysers enabled and configuring the more advanced ones is quite straightforward once you have read the documentation.

I followed Arnaud's awesome guide on installing The Hive & Cortex, I only needed Cortex, so I only install that part. It took me about 15 minutes to get a testing instance up and running. No analysers are configured by default but enabling them is straightforward.

User Interface

Both tools have well-made user interfaces, IntelOwl does look a bit more modern due to the colours but when it comes to functionally and ease of accessing it, both projects are pretty much on par with each other.

IntelOwl - Homepage
IntelOwl - Observable Scan Page
IntelOwl - Results of DMARC Check
Cortex - Homepage
Cortex- Analyser Configuration Page
Cortex - New Analysis Window
Cortex - Analysis Results

Administration & Configuration

IntelOwl exposes little administration options through the GUI which makes the administration experiences a bit less streamlined. Most configurations are stored in configuration files which are easy to edit and work with once you read the documentation.

Cortex exposes more of its administration options through the web interface including configuring organizations, users, analysers, responders and more. This makes the administration experience better and more streamlined.

Command Line Clients

Both tools have CLI clients which allows users to interact with the platforms and build more complex CLI tools that make use of these clients. IntelOwl's client is pyintelowl, Cortex's is Cortex4py. IntelOwl's team created a recording for how to use their command line client, check it out.

asciicast

Supported Analysers

Both platforms supported a wide range of analysers, and both are quite extendible if you wish to create your own custom analyser. You can find the list of supported analysers in the following links (Cortex analysers), (IntelOwl analysers).

Counting all readily available analysers (paid, free, and those with special requirements), Cortex has a total of 105 while IntelOwl has 127 analysers. Both have great coverage for various types of analysis tasks that you might need to perform during an investigation or while doing some research.

Maturity

The maturity of an open source project is a bit tricky to measure in a fair and accurate way, but I will try my best to give you some facts, and you can use that information however you like.

  • The first release of Cortex was on Feb 1, 2017 and since then 25+ releases were published. IntelOwl first release was published on Jan 9, 2020 and since then 23+ releases were published.
  • Cortex has 11 contributors, IntelOwl has 21.
  • Both projects are actively developed and maintained, if you take a look at the GitHub repo, both had commits in the last month.
  • Both projects are licensed under AGPL-3.0 Licence.

Development

If you are considering contributing to either projects or building upon them, then which technologies are used to develop the tools would most likely matter to you. Cortex is developed using Scala, on the other hand, IntelOwl is built using Python.

Conclusion

Both Cortex and IntelOwl are awesome tools that can be of extreme benefit to any security professional who's interested in observable analysis or works in incident handling. Check them out, support their creators, and if you have some time to spare, contribute to the projects.



Great! Next, complete checkout for full access to Ahmed Musaad
Welcome back! You've successfully signed in
You've successfully subscribed to Ahmed Musaad
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated