intelmq

Introduction

IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol. It's a community driven initiative called IHAP¹ (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

IntelMQ is frequently used for:

• automated incident handling
• situational awareness
• automated notifications
• as data collector for other tools
• and more!

The design was influenced by AbuseHelper however it was re-written from scratch and aims at:

• Reducing the complexity of system administration
• Reducing the complexity of writing new bots for new data feeds
• Reducing the probability of events lost in all process with persistence functionality (even system crash)
• Use and improve the existing Data Harmonization Ontology
• Use JSON format for all messages
• Provide easy way to store data into databases and log collectors such as PostgreSQL, Elasticsearch and Splunk
• Provide easy way to create your own black-lists
• Provide easy communication with other systems via HTTP RESTful API

It follows the following basic meta-guidelines:

• Don't break simplicity - KISS
• Keep it open source - forever
• Strive for perfection while keeping a deadline
• Reduce complexity/avoid feature bloat
• Embrace unit testing
• Code readability: test with inexperienced programmers
• Communicate clearly

Contribute

• Subscribe to the IntelMQ Developers mailing list and engage in discussions
• Report any errors and suggest improvements via issues
• Read the Developer Guide and open a pull request

Footnotes

1. Incident Handling Automation Project, mailing list: ihap@lists.trusted-introducer.org ↩