Skip to main content
Version: Next

Alerting & Integration

The NFO DDoS Detector transforms passive monitoring into an active defense system. By leveraging the intelligence of the Correlator, you can automate your response to threats, ensuring that high-confidence attacks are mitigated before they impact your services.

Confidence-Based Alerting Strategy

Because NFO assigns a Confidence Score to every event, we recommend a tiered alerting strategy to reduce "alert fatigue" in your SOC:

  • High Confidence (90-100%): Trigger immediate automated actions. These alerts indicate that multiple "Experts" have confirmed an attack. Integration with a SOAR platform or Firewall API is recommended here.
  • Medium Confidence (50-89%): Generate a ticket (e.g., in ServiceNow or Jira). These events represent significant anomalies that require a human analyst to verify if they are a "Flash Crowd" or a sophisticated attack.
  • Low Confidence (< 50%): Log for historical analysis only. These are "noise" detections that do not require an active notification.

Output Formats & SIEM Integration

NFO is designed to be a "Data Feed" for your entire security ecosystem. You can configure NFO to output DDoS events in the following formats:

1. Syslog & JSON

NFO can stream real-time attack data to any Syslog receiver or JSON-based SIEM.

  • Key Fields Included: Victim IP, Attack Type (e.g., SYN Flood), Confidence Score, and Attack Status (Started, Ongoing, or Abated).
  • Use Case: Use these feeds to trigger automated "Blackhole" routing or to update ACLs on edge routers.

2. Splunk Alerting

The DDoS Detector for Splunk App includes pre-configured alert templates that notify your team the moment an attack exceeds your defined confidence threshold.

  • Email Notifications: Instant emails include the specific attack type detected (e.g., "TCP ACK flood attack") and a direct link to the DDoS Attack Details dashboard for rapid investigation.
  • Webhook Triggers: Use Splunk's native webhook capability to send NFO alert data to external APIs or messaging apps like Slack and Microsoft Teams.

Closing the Loop: The "Abated" Alert

A critical feature of the NFO engine is the Status Update. NFO doesn't just tell you when an attack starts; it sends a final "Abated" or "Cleared" message once the Analytical Experts determine the traffic has returned to normal.

This allows your team to:

  1. Automatically close security tickets.
  2. Remove temporary block rules from firewalls.
  3. Calculate the exact duration of the impact for SLA reporting.