Understanding Incidents
An incident is created whenever Flowtriq detects traffic that exceeds the detection threshold on a monitored node. This guide covers everything you can do with incidents, from the list view to deep-dive forensics.
Incident List View
Navigate to Incidents in the sidebar to see all incidents. The list view provides:
Stat Cards
At the top of the page, summary counts are displayed: Total incidents, Active, Resolved, and False Positives.
Filtering
You can filter the incident list by multiple criteria:
| Filter | Options |
|---|---|
| Status | All, Active, Resolved, False Positive |
| Severity | All, Critical, High, Medium, Low |
| Date Range | From date and To date pickers |
| Search | Searches across node name, attack family, title, UUID, attack tool, and attack subtype |
Sorting
Click any column header to sort. Sortable columns include: Started, Severity, Peak PPS, Duration, Attack Family, and Node Name. Default sort is by start time, newest first.
Pagination
The list displays 50 incidents per page with pagination controls at the bottom.
CSV Export
Add ?export=csv to the incidents URL (or use the Export button) to download all matching incidents as a CSV file (up to 10,000 rows). The export respects your current filters.
Bulk Actions
Select multiple incidents using the checkboxes, then use the bulk action toolbar to:
- Bulk Resolve - Mark all selected active incidents as resolved
- Bulk False Positive - Mark all selected as false positives, with an optional reason field
Bulk actions require the Analyst role or higher.
False Positive Scoring in List View
Each incident in the list has a lightweight false positive (FP) score calculated from heuristic checks. Indicators include:
- Micro-burst (duration 15s or less)
- No threat intel signals
- Single source IP
- Low total packets
- Peak not sustained (average PPS far below peak)
- Severity-to-evidence mismatch
The FP score appears as a colored indicator next to the incident, giving you a quick sense of which incidents may warrant review.
Incident Detail Page
Click any incident to open its detail page. This is where the full investigation happens.
AI Summary
Each incident includes an AI-generated analysis that summarizes the attack in plain language. This is auto-generated the first time you view the incident (if peak PPS is greater than 0). The summary covers the attack type, traffic characteristics, and recommended actions.
Incident Actions
From the detail page, you can:
- Resolve - Mark the incident as resolved. This records the resolution time and duration, triggers a postmortem report email to workspace admins, and resets the node status from "attack" to "online" (if no other active incidents remain).
- Mark as False Positive - Flag the incident as a false positive with an optional reason. The reason is stored as an incident note. This also resets the node status if appropriate.
- Add Note - Attach notes to the incident (up to 2,000 characters each). Notes include the author name and timestamp.
- Download PCAP - Generate a time-limited download token for the PCAP file (valid for 15 minutes).
Firewall Mitigation Rules
The incident detail page automatically generates firewall rules tailored to the attack. Rules are generated for your workspace's preferred firewall (iptables, nftables, ufw, firewalld, pf, MikroTik, etc.). Safe IP lists are built automatically from your node IPs and team login IPs to prevent accidental self-blocking.
Recommendations
Below the AI summary, the system provides prioritized recommendations for responding to the attack. These are generated automatically based on the attack characteristics.
Push to Integration
If you have blocking integrations configured (MikroTik, pfSense, CrowdSec), a button allows you to push block rules for the top source IPs directly to your firewall or security platform.
Attack Families and Subtypes
Flowtriq classifies attacks into the following families:
| Family | Description |
|---|---|
| UDP Flood | Volumetric attack using UDP packets. Subtypes include DNS amplification, NTP amplification, memcached reflection, and generic UDP floods. |
| SYN Flood | TCP SYN packets sent to exhaust connection tables. High SYN ratio with few ACK responses. |
| TCP Flood | General TCP-based flooding (ACK floods, RST floods, PSH+ACK floods). |
| HTTP Flood | Layer 7 attacks targeting web servers. Measured in requests per second (RPS) rather than PPS. |
| ICMP Flood | Ping floods and ICMP-based volumetric attacks. |
| DNS Flood | DNS query floods, DNS amplification, and DNS water torture attacks. |
| Protocol Flood | Attacks exploiting protocol weaknesses (GRE floods, IP fragment floods, etc.). |
| Multi-Vector | Attacks combining multiple families simultaneously (e.g., SYN flood + UDP amplification). |
Confidence Scoring
Each incident includes a confidence score (0-100%) indicating how certain the classification is. The score is based on:
- Protocol analysis (TCP flag distribution, UDP/TCP ratio)
- IOC (Indicator of Compromise) matches from threat intelligence feeds
- Source IP analysis (spoofing detection, botnet signatures)
- Traffic pattern analysis (sustained vs. burst, geographic distribution)
Higher confidence means more signals corroborated the classification. A low confidence score may indicate a novel attack type or a legitimate traffic spike.
False Positive Analysis Engine
The incident detail page includes a comprehensive FP Analysis panel that evaluates multiple heuristic indicators:
| Indicator | Weight | What It Checks |
|---|---|---|
| Micro-burst | 80 | Duration was 15 seconds or less (the minimum possible) |
| Short duration | 50 | Duration was between 15-30 seconds |
| No threat indicators | 60 | No IOC matches, no spoofing detected, no botnet signatures |
| Single source IP | 75 | All traffic came from a single source address |
| Low sustained traffic | 65 | Average PPS was less than 10% of peak PPS |
| Standard service ports | 40 | All traffic targeted well-known ports (80, 443, etc.) |
| Normal TCP flags | 45 | SYN ratio is below 50% with ACK traffic present |
| Rapid-fire pattern | 85 | 5+ similar incidents from the same node within 6 hours |
| Severity mismatch | 70 | Critical severity but very few sources and short duration |
| Single source country | 35 | All traffic from one country (botnets typically span multiple) |
| High node FP rate | 55 | 30%+ of incidents on this node in the last 30 days were false positives |
| No amplification | 40 | UDP-based attack with no amplification or reflection signatures |
The overall FP score is the average of triggered indicator weights, with a boost when many indicators fire simultaneously. Levels: High (≥70), Medium (≥45), Low (>0).
Service Port Blocks
If the incident triggered service port detection, the detail page shows a Service Port Blocks section listing each blocked source IP, the block scope (non-service or full IP), the source PPS, targeted ports, block timestamp, and expiry.
Incident Notes
Team members can add notes to any incident for collaboration. Notes are displayed in chronological order with the author name and timestamp. False positive reasons are also stored as incident notes with a special false_positive_reason type.
Incident Groups
When multiple incidents on different nodes are correlated (part of the same attack campaign), they are linked in an Incident Group. Resolving all incidents in a group automatically resolves the group itself.
Auto-Resolve Behavior
Incidents can be resolved automatically in several ways:
- Agent auto-resolve: When traffic drops back below the threshold, the agent reports the incident as resolved.
- Workspace auto-resolve timer: Configurable in Settings → Workspace. Options: 5, 10, 15, 30, or 60 minutes. Set to 0 to disable. Default is 15 minutes.
- Node deletion: Deleting a node resolves all its active incidents immediately.
FAQ
Can I delete an incident?
Yes, admins can delete incidents from the list view. Deleting an incident removes all related data including PCAP captures, recommendations, and group memberships.
What is the difference between Resolved and False Positive?
Resolved means the attack ended (either naturally or was mitigated). False Positive means the detection was a mistake; there was no real attack. False positives are excluded from compliance reports and aggregate statistics.