Skip to main content
Version: Next

Alerting & Integration

The NFO DDoS Detector transforms passive monitoring into an active defense system. By leveraging the Confidence Score assigned to every event, you can automate your response to threats and ensure high-confidence attacks are acted on before they impact services.

Confidence-Based Alerting Strategy

We recommend a tiered approach to alerting to reduce noise in your SOC:

  • High confidence (90–100%): Trigger immediate automated actions. Multiple Experts have confirmed an attack. Integration with a SOAR platform or firewall API is recommended at this tier
  • Medium confidence (50–89%): Generate a ticket (for example in ServiceNow or Jira). These events represent significant anomalies that require a human analyst to determine whether the cause is a flash crowd or a sophisticated attack
  • Low confidence (< 50%): Log for historical analysis only. No active notification required

Output Formats

NFO streams real-time DDoS event data to any Syslog receiver or JSON-based SIEM. Both formats include the same core fields:

  • Victim IP: The internal address or subnet under attack
  • Attack type: For example SYN Flood or TCP ACK Flood
  • Confidence score: The Correlator's assessment at the time of the event
  • Attack status: Started, Ongoing, or Abated

Use these feeds to trigger automated blackhole routing, update ACLs on edge routers, or forward events into any downstream security workflow. See Data Outputs for configuration details.

Closing the Loop: The "Abated" Alert

A critical feature of the NFO engine is the Status Update. NFO doesn't just tell you when an attack starts; it sends a final "Abated" or "Cleared" message once the Analytical Experts determine the traffic has returned to normal.

This allows your team to:

  1. Automatically close security tickets.
  2. Remove temporary block rules from firewalls.
  3. Calculate the exact duration of the impact for SLA reporting.
Visualizing DDoS events

NFO can forward DDoS alerts to any supported destination via Syslog or JSON. Purpose-built visualization and alerting is currently available for Splunk via the DDoS Detector App -- see DDoS Detector App for Splunk for installation and dashboard documentation.