IntelMQ is an open-source solution designed to help IT security teams (including CERTs, CSIRTs, SOCs, and abuse departments) streamline the collection and processing of security feeds using a message queuing protocol.
“Originally designed for CSIRTs and later adopted by SOCs, IntelMQ has evolved into a versatile tool for all security teams. With a modular and extensible design, it supports various input, processing, and output plugins, enabling seamless integration with existing workflows. Built for full automation, it significantly reduces workload compared to traditional processes, allowing teams to focus on specialized tasks,” Sebastian Wagner, the maintainer of IntelMQ, told Help Net Security.
While inspired by AbuseHelper, IntelMQ was rewritten from the ground up with several key improvements:
- Simplified administration: Reduces system complexity for easier deployment and management.
- Flexible bot creation: Streamlines the development of new bots for handling diverse data feeds.
- Data persistence: Ensures events are not lost, even in the event of a system crash.
- Standardized data processing: Leverages and enhances the existing Data Harmonization Ontology.
- JSON-based messaging: Uses JSON format for seamless data exchange.
- Seamless storage integration: Supports PostgreSQL, Elasticsearch, Splunk, and other log collectors.
- Custom blacklist management: Provides a straightforward way to create and maintain blacklists.
- API-driven interoperability: Facilitates integration with other systems via a RESTful HTTP API.
“IntelMQ follows the KISS principle, ensuring each component has a single, well-defined function while offering customization options for complex workflows. As a community-driven open-source project, it continuously evolves through global contributions. Designed for scalability, it efficiently handles diverse data feeds, including those from Shadowserver, and integrates with leading cybersecurity platforms such as MISP, RTIR, Shodan, and commercial solutions like ESET, FireEye, McAfee, and AnubisNetworks,” Sebix explained.
The solution is frequently used for:
- Automated incident handling
- Situational awareness
- Automated notifications
- As data collector for other tools
Future plans and download
“As a community-driven project, IntelMQ evolves to meet the needs of its users, continuously adapting to changes in data feeds and related tools. Future plans include expanded integrations, improved user experience, enhanced flow control, native multiprocessing leveraging Python advancements, and support for grouped data,” Sebix concluded.
IntelMQ is available for free on GitHub.
Must read:
