SIEM & IDS/IPS Integrations
Export structured attack telemetry to 8 security platforms: Splunk, Elasticsearch, Microsoft Sentinel, Syslog CEF, Wazuh, MISP, Suricata, and Zeek
Overview
Flowtriq can export structured attack event data to your existing security tooling in real time. Each integration fires when an attack incident opens, updates on escalation, and fires again on resolution — giving your SIEM a complete attack lifecycle record.
Configure integrations from Dashboard → Integrations → SIEM.
Supported Destinations
| Destination | Protocol | Format | Trigger |
|---|---|---|---|
| Splunk HEC | HTTPS POST | JSON event | Real-time on attack open/update/close |
| Elasticsearch | HTTPS PUT | JSON document | Real-time index write |
| Microsoft Sentinel | HTTPS POST | DCR / Log Analytics API | Real-time on attack open/update/close |
| Syslog (CEF) | UDP/TCP Syslog | CEF 0.1 | Real-time on attack open/update/close |
| Wazuh | TCP / REST API | JSON log | Real-time agent event |
| MISP | HTTPS REST | MISP event + attributes | On attack open (IOC enrichment) |
| Suricata | File feed | Suricata rules (.rules) | Scheduled export feed |
| Zeek | File feed | Zeek Intel Framework | Scheduled export feed |
Splunk HEC
Events are pushed to the Splunk HTTP Event Collector in real time. Each event includes the full incident payload:
Configure with your HEC endpoint URL and token. Supports custom index and source type overrides.
Elasticsearch
Events are indexed as JSON documents. The index name is configurable (default: flowtriq-attacks). Each document uses the incident ID as the document ID, so updates overwrite the same document rather than creating duplicates.
Supports both self-hosted Elasticsearch and Elastic Cloud (set the cloud endpoint and API key).
Microsoft Sentinel
Events are sent to a custom Log Analytics table via the Azure Monitor Ingestion API (DCR-based). Requires a Data Collection Rule (DCR) and Data Collection Endpoint (DCE) configured in your Azure tenant.
Syslog CEF
Events are formatted as ArcSight Common Event Format (CEF) v0.1 and sent to your syslog receiver over UDP or TCP. CEF format is natively parsed by most SIEMs.
Wazuh
Events are sent as JSON log entries to the Wazuh manager via its REST API or as agent events. Custom Wazuh rules for Flowtriq event decoding are available in the integration panel.
MISP
When an attack opens, Flowtriq creates a MISP event with:
- Attack family and confidence as event tags
- Source IPs as
ip-srcattributes (if available) - Target IP as
ip-dstattribute - Attack timestamp, peak PPS/BPS as free-text attributes
- Threat level mapped from attack severity
Requires your MISP instance URL and an automation key with event write permissions.
Suricata & Zeek Export Feeds
Flowtriq generates rule/intelligence feeds that Suricata and Zeek can consume on a schedule:
- Suricata: A
.rulesfile containingdroprules for known attack source IPs (sourced from your incident history and threat intel feeds). Updated every 15 minutes. Configure Suricata to reload withsuricatasc -c reload-rules. - Zeek: An Intel Framework compatible file in Zeek's tab-separated format (
Intel::ADDRtype), updated every 15 minutes. Drop in your Zeek intel directory and it loads automatically on the next rotation.
Feed URLs are available in Dashboard → Integrations → SIEM → Export Feeds and are authenticated with a per-workspace token.
Event Types
All streaming integrations (Splunk, Elasticsearch, Sentinel, Syslog, Wazuh) receive events for:
| Event type | When it fires |
|---|---|
| attack_open | Incident opens (threshold crossed + classified) |
| attack_update | Significant change: PPS increase >50%, new source IPs, mitigation applied |
| attack_resolved | Incident closed (traffic returned to baseline) |
| mitigation_applied | BGP rule announced, firewall rule executed, or scrubbing activated |
| exposure_finding | New finding from an Exposure scan (CVE, open port, TLS issue) |