SIEM Integrations
Push incident data
to every major SIEM.
Flowtriq integrates with six SIEM platforms out of the box. Splunk, Elasticsearch, Microsoft Sentinel, Syslog CEF, Wazuh, and MISP -- all configured from the dashboard Integrations page with no custom code. Incident data is pushed automatically on detection and resolution, so your SOC sees DDoS events alongside the rest of your security telemetry.
Supported Platforms
Six integrations, zero custom code
Splunk HEC
Sends incident payloads via HTTP Event Collector. Configure your HEC token, target index, and sourcetype from the dashboard. Events arrive in Splunk indexed and searchable within seconds of detection.
HTTP Event CollectorElasticsearch / OpenSearch
Indexes incident documents directly into your Elasticsearch or OpenSearch cluster. Set the index pattern, authentication, and endpoint URL. Each incident maps to a single document with all fields pre-structured.
REST APIMicrosoft Sentinel
Supports both modern Data Collection Rules (DCR) via the Logs Ingestion API and the legacy Data Collector API for Log Analytics workspaces. Choose whichever your environment uses -- both methods push the same incident payload.
DCR + Legacy APISyslog CEF
Outputs incidents in Common Event Format over syslog, compatible with IBM QRadar, Micro Focus ArcSight, LogRhythm, and FortiSIEM. No custom parsing rules required on the receiving SIEM -- standard CEF headers and extensions are used.
Common Event FormatWazuh
Forwards incident data as structured syslog messages for Wazuh rule matching and alerting. Wazuh decoders can parse Flowtriq events out of the box, feeding DDoS incidents into your existing Wazuh correlation rules.
SyslogMISP
Creates threat events in your MISP instance with ip-src attributes for each attacker source IP. Events are pushed on incident resolution, populating your threat database with real attack IOCs for cross-tool correlation.
Threat IOCsHow It Works
Configured in the dashboard, delivered automatically
Every SIEM integration follows the same workflow: configure your endpoint from the Integrations page, and Flowtriq handles the rest. Incident payloads are pushed on both detection and resolution, giving your SOC full event lifecycle visibility without any agent-side scripting or cron jobs.
Configure in dashboard
Select your SIEM from the Integrations page. Enter endpoint URL, authentication credentials, and any platform-specific settings (index name, sourcetype, DCR rule ID).
Incident detected
When the agent detects an attack, the dashboard immediately pushes a structured incident payload to your configured SIEM with all detection metadata.
Incident resolved
On resolution, a second payload is sent with the full incident summary: duration, peak metrics, protocol breakdown, and attacker source IPs. MISP events are created at this stage with IOC attributes.
Correlate in your SOC
Your SIEM receives Flowtriq events alongside your firewall logs, endpoint telemetry, and other security data. DDoS incidents become part of your unified security operations workflow.
Payload Format
Structured incident data, ready for correlation
Every integration receives a consistent JSON payload with the full incident context. The same fields are available regardless of which SIEM you use -- only the transport and formatting differ per platform.
"event": {
"incident_id": "a3f7c2b1",
"node": "nyc-edge-01",
"classification": "UDP Flood",
"status": "opened",
"peak_pps": 842000,
"peak_bps": 6740000000,
"confidence": 0.97,
"spoofed": true,
"timestamp": "2026-06-25T14:22:01Z"
},
"sourcetype": "flowtriq:incident",
"index": "security"
}
FAQ
Common questions about SIEM integrations
How do I set up a SIEM integration?
All six integrations are configured from the dashboard Integrations page. Select your SIEM, enter connection details (endpoint URL, auth token, index name), and save. No custom code, scripts, or agent-side configuration required. Flowtriq will begin pushing incident data on the next detection event.
What data is sent to my SIEM?
Each integration pushes a structured incident payload containing the incident UUID, node name, attack classification, peak PPS and BPS, protocol breakdown, confidence score, spoofing indicator, start/end timestamps, and attacker source IPs. Resolution events are sent separately so your SIEM can correlate open and closed incidents.
How quickly does incident data reach my SIEM after detection?
Incident data is pushed within seconds of detection. Flowtriq sends the payload as soon as the incident is opened, and again when it resolves. There is no batching delay or scheduled export window.
Which Syslog CEF SIEMs are compatible?
Any SIEM that accepts Common Event Format over syslog is compatible, including IBM QRadar, Micro Focus ArcSight, LogRhythm, and FortiSIEM. The CEF output follows the standard header and extension format so no custom parsing rules are needed on the receiving end.
Does the MISP integration share attacker IPs automatically?
Yes. When an incident resolves, Flowtriq creates a threat event in your MISP instance with ip-src attributes for each attacker source IP observed during the attack. This populates your MISP threat database with real attack IOCs for correlation across your security tooling.
Are SIEM integrations included in all plans or is there an add-on cost?
All six SIEM integrations are included on every Flowtriq plan at no additional cost. There are no per-event fees, volume caps, or enterprise-only restrictions. If your plan includes detection and alerting, it includes SIEM forwarding.
Related Features
SIEM integrations work with your full security stack
FAQ