Trusted & Pre-processed

Threat Intelligence,
Ready to Deliver

hub.intelmq.org aggregates, enriches and pre-filters security data feeds so that national CERTs, ISP abuse teams and corporate CSIRTs can notify their constituency — with minimal extra processing.

Request Access Learn More

What is hub.intelmq.org?

hub.intelmq.org is a centralised data hub that collects raw threat-intelligence feeds — including honeypot hit data, sinkhole observations and information about vulnerable or compromised systems — and transforms them into clean, harmonised, actionable events using the IntelMQ framework.

The problem: while IntelMQ is a great framework and highly adaptable, every operator needs to be hand-tailored. Hence, every setup also repeats the same steps:

  • Fetch data
  • Map data
  • Filter data
  • Enriching data
  • Write template texts for your constituency
Wouldn't it be nice, if the pre-processing (fetching, filtering, mapping, enriching) steps as well as adding the context (template texts) would be done for you? Automatically?

Enter hub.intelmq.org - a place where you can fetch the pre-processed data and send it off to your constituency.

The goal: receiving teams can forward notifications to their constituency 1-1. No additional work needed.

Pre-filtered

Data is sliced per network / country so you only receive events that concern your constituency.

Enriched

Each event is augmented (enriched) with ASN, geolocation, etc. In addition, hub.intelmq.org will give you context information (descriptions of the event, remediation instructions) which you can pass on 1-1 to your constituency.

Ready to Send

Output follows the IntelMQ harmonisation — plug it straight into your notification pipeline.

Available Data Categories

Three pillars of actionable threat intelligence

Honeypot Hits

Attack telemetry collected from globally distributed honeypots — login attempts, exploit payloads and scanning activity mapped to source IPs in your network space.

SSH HTTP SMB Telnet

Sinkhole Data

Connections from infected machines to sinkholed C&C domains. Each event identifies a likely bot in your constituency — ready for notification and remediation.

Botnet C&C DGA

Vulnerable Systems

Scan-based observations of publicly reachable services with known vulnerabilities or dangerous misconfigurations (open resolvers, exposed databases, outdated TLS, etc.).

Open DNS NTP SNMP CVE

Powered by IntelMQ

IntelMQ is an open-source solution for IT security teams — CERTs, CSIRTs, SOCs and abuse departments — for collecting and processing security feeds using a message-queuing pipeline. Born from the Incident Handling Automation Project (IHAP) driven by European CERTs, it has become the de-facto standard for automated feed processing in the CERT community.

With IntelMQ you can:

  • Automate incident handling & notifications
  • Build situational-awareness dashboards
  • Harmonise heterogeneous feeds into a single JSON format
  • Enrich events with GeoIP, ASN, abuse contacts, RDAP & more
  • Store results in PostgreSQL, Elasticsearch, Splunk or send via SMTP

GitHub Repository Documentation Ecosystem Overview

Collect → Parse → Enrich → Filter → Output

Frequently Asked Questions

How to contribute data or receive feeds

I am a data feed provider — how can I contribute data?

We welcome new data sources! If you operate honeypots, sinkholes or conduct internet-wide scans and would like your data cleaned up, harmonised and distributed to the CERT community through hub.intelmq.org, here is how to get started:

  1. Reach out — send an email to hub@intelmq.org describing your data source, format, volume and update frequency.
  2. We evaluate — our team will review the feed for quality, relevance and overlap with existing sources.
  3. Integration — together we write (or re-use) an IntelMQ collector/parser bot. If you already deliver data in a standard format (CSV, JSON, STIX) integration is usually straightforward.
  4. Go live — once validated, the feed enters the production pipeline and gets distributed to all eligible recipients. You will be credited (unless you prefer to stay anonymous).

All contributed data will be processed through the full IntelMQ pipeline: deduplication, harmonisation, enrichment and per-constituency filtering.

I am a national CERT / government CSIRT — how can I get the data?

National CERTs receive feeds filtered by country code. Every event whose source IP geolocates to your country (or falls within address space delegated to your economy) is included in your feed.

  1. Contact us at hub@intelmq.org from your official CERT address.
  2. We verify your identity through Trusted Introducer, FIRST membership, or equivalent channels.
  3. Once approved, you will receive API credentials and documentation for pulling your country-specific feed.

The data is delivered in IntelMQ's harmonised JSON format and can be imported directly into your local IntelMQ instance or any other tooling that supports the format.

I am a corporate or ISP CERT/CSIRT — how can I get the data?

Corporate and ISP teams receive feeds filtered by AS number or IP prefix.

  1. Email hub@intelmq.org with your organisation name, ASNs / prefixes and a brief description of your team.
  2. We verify your authority over the announced address space (e.g. via whois, PeeringDB, or an existing trust framework).
  3. You get API credentials scoped to your network objects.

As with national CERTs, the output is ready to forward to your end-users or customers with minimal extra processing.

Who can access the data?

Currently, only trusted and verified parties may receive data feeds from hub.intelmq.org. Access is granted on a case-by-case basis after identity and mandate verification. Membership in established trust communities (FIRST, TF-CSIRT / Trusted Introducer, national CERT networks) greatly accelerates the process.

In which format is the data delivered?

All events follow the IntelMQ Data Harmonization ontology and are delivered as JSON objects — one event per line (JSON Lines). Fields include source.ip, source.asn, source.geolocation.cc, classification.type, time.source and many more.

If you run IntelMQ locally, you can ingest the feed directly. Otherwise any tooling that processes structured JSON will work.

Data FAQ

Understanding and interpreting the hub.intelmq.org data feeds

Coming Soon

Detailed documentation on data fields, classification taxonomy, confidence scoring, de-duplication rules and per-feed interpretation guides will be published here.

Statistics

Overall numbers on processed data feeds

Events (24 h)

Active Feeds

Countries Served

Recipients

Charts & Breakdowns Coming Soon

Interactive graphs showing event volumes, top feeds, classification distribution and geographic heatmaps will appear here.

Operational Status

Current health of the hub.intelmq.org infrastructure

Component Status Last Checked
Collector Pipeline Operational
Processing & Enrichment Operational
REST API Operational
PostgreSQL Store Operational
Notification Delivery Operational

 Automated status checks will be integrated soon.

Automated Monitoring Coming Soon

Real-time health checks, feed freshness indicators and a historical uptime log will be displayed here.

Get in Touch

Whether you want to receive feeds, contribute data or just ask a question — we'd love to hear from you. Access is currently limited to trusted & verified parties.

hub@intelmq.org

Please use your official organisational email address so we can verify your identity.