NFO INTEGRATIONS
Your SIEM gets network intelligence.
Not raw noise.
NFO sits between your network and your security stack —
normalizing, enriching, and reducing data before it arrives. Your
platforms get high-fidelity signal, not raw flow logs.
80%
Typical ingest reduction
Raw flow logs deduplicated and aggregated at the edge — before they hit your SIEM. Directly reduces consumption-based licensing costs in Sentinel, Splunk Cloud, and others.
100%
Analytical value retained
Deduplication removes redundancy, not signal. Every meaningful event still reaches your platform — enriched with Geo-IP, threat intelligence, and identity context.
11+
Supported platforms
Splunk, Microsoft Sentinel, CrowdStrike, Sumo Logic, Datadog, and more. Pre-built apps for Splunk and Sumo Logic. Data connectors and workbooks for Sentinel.
Integration Architecture
NFO is the intelligent layer
before your platform.
Raw telemetry from your network infrastructure goes into NFO. Enriched,
normalized, deduplicated intelligence comes out — formatted for your
platform and ready to use.
Sources
Your network
NetFlow v5/v9, IPFIX, sFlow, Cisco ASA/NVZ, SNMP, MDT, cloud VPC flows (AWS, Azure, GCP, OCI)
NFO Engine
NetFlow Optimizer
NetFlow v5/v9, IPFIX, sFlow, Cisco ASA/NVZ, SNMP, MDT, cloud VPC flows (AWS, Azure, GCP, OCI)
Output formats
Formatted for your platform
CIM-compliant JSON for Splunk · HEC, Syslog, Kafka, REST API · Pre-built dashboards where available
Your platforms
SIEM · SOAR · Observability
Alerts fire on enriched data. Dashboards load instantly. Analysts investigate with full context — no manual lookup tables
Integration Architecture
Deep integrations with the platforms
your team already runs.
Splunk
Free app on Splunkbase — dashboards included
The deepest NFO integration. A free app on Splunkbase gives your Splunk team pre-built dashboards for network traffic analysis, device health, and threat detection — working out of the box against NFO’s enriched, CIM-compliant data stream.
Microsoft Sentinel
Reduce Sentinel costs before data lands
Sentinel’s consumption pricing makes raw flow log ingestion expensive. NFO eliminates that — deduplicating and aggregating at the edge so only high-fidelity, enriched events reach your workspace. The same analytical coverage, at a fraction of the ingest cost.
CrowdStrike
Network context for endpoint investigations
CrowdStrike Falcon LogScale gets endpoint visibility from EDR — but network traffic has always been the missing layer. NFO feeds enriched NetFlow and SNMP data into LogScale, so analysts can correlate endpoint alerts with network behavior in the same platform.
Sumo Logic
Free app on Sumo Logic App Catalog
A free app in the Sumo Logic App Catalog gives your team pre-built dashboards for network visibility — traffic analysis, top talkers, geo-IP mapping, and device health — all driven by NFO’s enriched output. No dashboard-building required.
All Integrations
Works with the rest of your stack too.
Data Pipeline
Axoflow
NFO integrates with Axoflow’s telemetry pipeline for advanced routing, transformation, and delivery of enriched network data.
SIEM / Security Analytics
Exabeam
Enriched NetFlow feeds Exabeam’s UEBA engine — giving behavioral models the network context they need for accurate anomaly detection.
Endpoint + Network Correlation
SentinelOne
NFO feeds enriched network telemetry into SentinelOne’s DataSet (Scalyr) for high-performance correlation with endpoint activity.
Observability
Datadog
NFO integrates with Axoflow’s telemetry pipeline for advanced routing, transformation, and delivery of enriched network data.
Observability
New Relic
Enriched NetFlow feeds Exabeam’s UEBA engine — giving behavioral models the network context they need for accurate anomaly detection.
Observability
Aria Operations for Logs
NFO forwards normalized network telemetry to VMware Aria for log analysis and correlation in VMware-heavy environments.
Cloud Environments
AWS · Azure · Google · OCI
VPC flow logs from all four major cloud providers ingested, normalized, and enriched alongside on-premises NetFlow — one unified stream.
SIEM / Security Analytics
Elastic (SIEM)
ECS-compatible output feeds Elastic SIEM with enriched network events — ready for detection rules and timeline investigations.
Output Formats
NFO speaks your platform’s language.
If your platform isn’t listed above, NFO can likely still deliver to it.
Output formats are flexible — configure the destination that fits your
pipeline.
JSON / HEC
Structured JSON via HTTP Event Collector — the standard delivery path for Splunk, Sumo Logic, and most modern SIEMs.
Syslog
RFC-compliant syslog output for any platform that accepts it — legacy SIEM, NMS, or custom log pipeline.
Kafka
High-throughput event streaming to Kafka topics — for pipelines that route data through a broker before final destination.
Azure Monitor / REST
Direct delivery to Azure Monitor Log Analytics and REST API endpoints for cloud-native and custom integrations.
See NFO feeding your stack
with data that’s actually useful.
Start a free trial with your own network, or talk to an engineer
about your specific platform setup.