Skip to main content
Version: 2.12.0

Overview

The DDoS Detector for Splunk Enterprise App provides real-time alerting and visualization for DDoS events detected by NetFlow Optimizer's DDoS Detector Module and reported to Splunk.

When the DDoS Detector Module identifies an anomaly, it forwards structured event data to Splunk via Syslog or HEC/JSON. The App ingests these events, surfaces them across dedicated dashboards, and triggers email notifications — giving operators the visibility needed to act before targeted devices and servers are overwhelmed.

What the App Does

  • Detects and displays attacks as they happen. The dashboards update in real time as the DDoS Detector Module reports new events, giving operators an immediate view of attack type, affected targets, and traffic behavior.
  • Filters by confidence level. Operators can scope dashboard views and alert thresholds to a selected confidence level, reducing noise and focusing attention on high-certainty events.
  • Sends email alerts within minutes. Once configured, the App dispatches email notifications as soon as a qualifying DDoS event is detected. Each alert includes a direct link into the Attacks Details dashboard for immediate drilldown.
  • Supports historical investigation. The App retains event history, allowing operators to search for patterns across past attacks — recurring sources, repeated victims, and correlated attack types.

How It Fits Into the DDoS Detection Workflow

The App is the visualization and alerting layer of a three-component pipeline:

  1. NFO DDoS Detector Module: Analyzes flow telemetry and assigns a confidence level to detected anomalies
  2. Technology Add-on for NetFlow (TA-netflow): Installed on Splunk; parses incoming NFO events and maps fields for the App to consume
  3. DDoS Detector for Splunk Enterprise App: Provides the dashboards, alert logic, and email notifications that operators interact with directly

The App has no detection logic of its own. All analysis happens in NFO; Splunk is the operational interface.

Requirements

ComponentDetails
Splunk platformSplunk Enterprise (see Installation for supported versions)
Required add-onTechnology Add-on for NetFlow (TA-netflow)
NFO prerequisiteDDoS Detector Module enabled and configured to send flowintegrator events to Splunk
NetworkUDP connectivity for Syslog deployments, or HTTPS connectivity to Splunk HEC for HEC deployments