TL;DR, What is IntelMQ?

IntelMQ is an open-source threat-intelligence pipeline built for security teams such as CERTs, CSIRTs, SOCs, and abuse desks.

Security teams often juggle hundreds of threat-intelligence feeds, each delivered in a different format. These differences create time-consuming, error-prone workflows that fail to scale with current data volumes. IntelMQ fixes the problem by offering a single automated pipeline that ingests data from many sources, converts everything into the IntelMQ Data Format (IDF)—formerly known as DHO—then enriches each record with more context and forwards the result to any target you choose. IntelMQ’s automation significantly cuts analyst workload, letting teams focus on investigation and response instead of data cleanup.

The project started in the European CERT community through the Incident Handling Automation Project (IHAP), grounding IntelMQ in real-world operational needs.

How to Prepare for a Cloud Cyberattack: An Actionable Incident Response Plan Template

A quickstart guide to creating a robust incident response plan - designed specifically for companies with cloud-based deployments.

Your work email here

Download template

Common use cases

1. Automated threat-intelligence processing: Organizations deploy IntelMQ to gather feeds from providers (like Shadowserver, Spamhaus, and Abuse.ch), parse diverse formats, enrich events with context, and store normalized data in a central repository. The standardized output supports real-time correlation with internal security events and drives automated response.

2. Incident-response automation: Security teams rely on IntelMQ to process incident artifacts, enrich IOCs with geo and AS data, and route intelligence to the right responders through rule-based actions. The workflow shortens response times and guarantees consistent handling.

3. Situational-awareness dashboards: IntelMQ’s harmonized data feeds unified dashboards that track emerging threats, campaigns, and infrastructure targeting an organization. The consistent schema enables clear visualization and trend analysis.

4. Automated network-defense updates: IntelMQ processes abuse feeds, extracts indicators, and updates controls such as firewalls, DNS sinkholes, and proxies. This automated approach speeds reaction to new threats and avoids manual errors.

5. CERT operational automation: National and organizational CERTs adopt IntelMQ to categorize events, enrich records, and share actionable intelligence with stakeholders. IntelMQ’s workflow supports growing data volumes without sacrificing quality or timeliness.

wiz academy

Top OSS Incident Response Tools

Read more

How does IntelMQ work?

IntelMQ runs a modular, message-queue-based architecture in which specialized “bots” move data through a Redis queue. Every message travels as JSON that follows the IntelMQ Data Format (IDF), keeping structure consistent from start to finish.

• Collector bots fetch raw threat-intelligence data from feeds, APIs, and files.

• Parser bots convert raw data into IDF-compliant JSON.

• Expert bots add context, look up databases, apply filters, and modify data under defined rules.

• Output bots send finished events to targets such as databases, SIEMs, or notification services.

• Redis message queuing connects the bots, adding fault tolerance, persistence, and options for parallel streams.

Core Capabilities

1. Modular bot architecture: IntelMQ’s component design lets you create custom workflows by combining generic and specialized bots. Adding or replacing a bot never disturbs the rest of the system, so teams can extend the pipeline as needs evolve.

2. Data harmonization and standardization: The platform enforces the IntelMQ Data Format, turning varied input into predictable, validated records. The unified schema removes inconsistencies, boosts data quality, and simplifies downstream analysis and tool integration.

3. Persistent message queuing: Redis provides durable storage, transaction support, acknowledgments, and recovery. The queue manages backpressure under heavy load and keeps data safe during maintenance or failure, a requirement for production CERT environments.

4. Web-based management interface: IntelMQ Manager offers a drag-and-drop canvas where you design pipelines, watch bot status, inspect queues, and view logs. The graphical tools lower the entry barrier, so even staff without command-line skills can manage complex workflows.

5. Integration ecosystem: IntelMQ outputs to PostgreSQL, MongoDB, Splunk, Elasticsearch, MISP, CIF v3, and more. REST APIs handle custom connections, allowing IntelMQ to slot into existing security stacks.

The CVE Database: Curated Vulnerability Intelligence by Wiz

A comprehensive resource for monitoring high-profile vulnerabilities in cloud environments, tailored for security teams and cloud professionals

Explore

Limitations

1. Steep learning curve: Teams must understand bot settings, Redis management, and IDF details to unlock the full feature set.

2. Redis dependency: Redis expertise is essential for tuning, monitoring, and high-availability planning.

3. Limited built-in analytics: IntelMQ focuses on processing and normalization, so advanced analytics require external tools.

4. Configuration complexity: Large pipelines demand knowledge of bot interactions, queue sizing, and performance tuning.

5. Resource-intensive processing: High-volume feeds can tax memory and CPU, so capacity planning is critical.

Getting Started

Step 1: Ensure prerequisites

Make sure you have Python 3.8+, pip, and Redis installed.

Step 2: Install IntelMQ using pip

python3 -m pip install intelmq

Step 3: Initialize IntelMQ’s configuration

intelmqctl setup

Step 4: Start the core process manager

intelmqctl start

Step 5: Verify installation and running bots

intelmqctl status

IntelMQ vs Alternatives

FAQs