Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
Docs
Documentation Quick Start API Reference Agent Setup Your Problems, a Comic
Learn
Free Certifications Mirai Botnet Kill Switch State of DDoS 2026 REPORT DDoS Protection Landscape Hackathon Sponsorships
Company
About Us Partners White Label Managed Protection Contact Us System Status
Legal
Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →
MISP Module Threat Intelligence IOC Sharing

Flowtriq for MISP

Share DDoS attack intelligence with MISP. Export attacker IPs, attack vectors, and incident metadata as MISP events. STIX/TAXII compatible for sharing with your threat intelligence community.

Setup

Connect in three steps

1. Configure MISP API access in Flowtriq
Dashboard > Settings > Integrations > MISP MISP URL: https://your-misp-instance.example.com API Key: YOUR_MISP_API_KEY TLP: tlp:amber Min Severity: high
2. Sample MISP event from a DDoS incident
{ "Event": { "info": "DDoS: UDP Flood targeting 203.0.113.10", "threat_level_id": "1", "Tag": [ {"name": "flowtriq:attack-family=udp-flood"}, {"name": "tlp:amber"} ], "Attribute": [ {"type": "ip-src", "value": "198.51.100.1", "comment": "DDoS source"}, {"type": "ip-src", "value": "198.51.100.2", "comment": "DDoS source"}, {"type": "ip-dst", "value": "203.0.113.10", "comment": "Target"}, {"type": "text", "value": "4.52 Gbps peak", "comment": "Peak bandwidth"} ] } }
3. Verify the export
curl -H "Authorization: YOUR_MISP_API_KEY" \ https://your-misp-instance.example.com/events/index

Capabilities

DDoS threat intelligence for MISP

Automated IOC Export

Every DDoS incident above your configured severity threshold is automatically exported to MISP as a structured event. Source IPs become network indicators, attack families become tags, and incident metadata fills event attributes.

Attack Attribution

MISP events include attacker source IPs, target IPs, attack family classification, peak bandwidth and packet rates, mitigation actions taken, and incident duration. Full context for threat intelligence analysis.

STIX/TAXII Compatible

Once in MISP, DDoS threat intelligence can be shared via TAXII feeds, exported as STIX 2.1 bundles, or synced with other MISP instances. Your DDoS data integrates with your existing threat intelligence workflows.

Community Sharing

Share DDoS attack intelligence with your MISP sharing communities. TLP markings and distribution levels give you control over what gets shared and with whom. Contribute to collective DDoS defense.

Share DDoS intelligence with your community

Connect Flowtriq to MISP and start exporting attack indicators in minutes.

FAQ

Frequently Asked Questions

How does Flowtriq export data to MISP?

Flowtriq exports DDoS incident data to MISP via the MISP REST API. Each incident becomes a MISP event containing attacker IPs as network indicators, attack vectors as tags, and incident metadata (peak bandwidth, duration, mitigation actions) as event attributes.

What IOC types are exported?

The integration exports IP addresses (ip-src), network traffic patterns, attack family classifications (e.g., UDP flood, DNS amplification), CIDR ranges for distributed sources, and temporal data. All indicators are tagged with TLP and confidence levels.

Is the export STIX/TAXII compatible?

Yes. MISP natively supports STIX and TAXII export. Once Flowtriq data is in MISP, you can share it via TAXII feeds, export as STIX 2.1 bundles, or sync with other MISP instances and threat intelligence platforms that consume STIX/TAXII.

Can I control what gets shared?

Yes. Configure which incident severity levels trigger MISP exports. You can limit exports to critical and high severity incidents, exclude specific IP ranges, and set TLP markings to control downstream sharing within your MISP community.