cancel
Showing results for 
Search instead for 
Did you mean: 
Erik
Level 9

OpenDXL vs IntelMQ

I can't really make it up myself: how does OpenDXL compare to IntelMQ? https://github.com/certtools/intelmq

Where do the two overlap, and how might they be good additions to one another?

0 Kudos
1 Reply
chrissmith
Level 7

Re: OpenDXL vs IntelMQ

Great question.

First, I need to qualify my response with the fact that I know very little about IntelMQ. However, after a cursory look at the FAQ, some high level descriptions, and examples, it appears that the goals of the two projects are quite different.

The primary goals of IntelMQ appear to be:

  • Normalization of large number of data feeds (security feeds, log files, tweets) using a message queueing protocol
  • Support a wide variety of these data feeds in a consistent manner (JSON, etc.)
  • Ability to persist the feeds in a variety of systems (Splunk, ElasticSearch, etc.)

The primary goals of DXL are:

  • Ability to connect a large number of clients (100s of thousands to millions) on a distributed fabric (may extend large geographic regions with fault tolerance)
  • Share near real-time security events with those clients (reputation change for a file, etc.)
  • Easily allow security products to integrate with the fabric (TIE, MAR, Rapid7, Aruba, CheckPoint, etc.) and make their functionality available to the connected clients in a way that hides deployment details (topic-based communication)
  • Secure the fabric in a consistent way (PKI-based mutual authentication and certificate-based authorization)

The two projects seem very complimentary in fact. Exposing IntelMQ normalized events to the DXL fabric would be something that would seem to be fairly straight-forward (they have an example that shows a similar integration with Splunk).

Thanks again for the question,

Chris