Threat Intel

Overview

Query multiple external threat intelligence services to enrich observables (IPs, domains, URLs, hashes). Aggregates data from security vendors, open-source feeds, and specialized platforms to provide comprehensive IOC context.

Supported Observable Types:

• IP addresses - Reputation, geolocation, ASN, open ports, malicious activity
• Domains - WHOIS, DNS records, reputation, phishing detection
• URLs - Scan reports, redirects, phishing detection, screenshot analysis
• Hashes (MD5/SHA1/SHA256) - Malware detection, file analysis, known samples

Quick Start

Basic Usage

# Check an IP across multiple services
openclaw threat-intel ip 8.8.8.8 --services greynoise,abuseipdb,virustotal

# Check a domain
openclaw threat-intel domain evil.com --services all

# Check a hash
openclaw threat-intel hash a3b2c1d4e5f6... --services virustotal,otx

# Check a URL
openclaw threat-intel url http://suspicious.site/payload.exe --services urlscan

# View rate limit status
openclaw threat-intel --rate-limits

API Key Management

Most services require API keys. Configure them interactively:

openclaw threat-intel setup

Or set environment variables:

export VT_API_KEY="your_virustotal_key"
export GREYNOISE_API_KEY="your_greynoise_key"
export SHODAN_API_KEY="your_shodan_key"
export OTX_API_KEY="your_otx_key"
export ABUSEIPDB_API_KEY="your_abuseipdb_key"
export URLSCAN_API_KEY="your_urlscan_key"
export SPUR_API_KEY="your_spur_key"
export VALIDIN_API_KEY="your_validin_key"

See references/api-keys.md for full list of required keys per service.

Available Services

Free Services (No API Key Required)

Services Requiring API Keys

See references/services.md for complete service documentation.

Workflows

IOC Investigation

When investigating a suspicious observable, use this pattern:

1. Quick triage - Check free services first

```bash

openclaw threat-intel ip --services pulsedive

```

1. Deep enrichment - Add premium services for known-bad indicators

```bash

openclaw threat-intel ip --services virustotal,greynoise,shodan

```

1. Correlate - Cross-reference with multiple sources

```bash

openclaw threat-intel ip --services all

```

Bulk Enrichment

Process multiple observables from a file:

openclaw threat-intel bulk iocs.txt --output results.json

Format: one observable per line, optionally prefixed with type:

ip:8.8.8.8
domain:evil.com
hash:a3b2c1...

Scripts

Use these scripts directly for programmatic access:

• scripts/threat_intel.py - Main CLI tool
• scripts/check_ip.py - IP-focused helper script
• scripts/bulk_check.py - Bulk processing
• scripts/setup.py - Explicit interactive API key configuration

Output Formats

Default (Table)

Service        | Result | Score | Details
---------------|--------|-------|--------
VirusTotal     | ⚠️ Suspicious | 12/71 | 12 vendors flagged
GreyNoise      | ✅ Benign  | 0%    | Classified as benign
AbuseIPDB      | ⚠️ Suspicious | 85%   | 12 reports

JSON (for automation)

openclaw threat-intel ip 8.8.8.8 --format json

Markdown (for reports)

openclaw threat-intel ip 8.8.8.8 --format markdown

References

• API Keys Setup Guide
• Service Documentation
• Rate Limits