Integrations
DFIRe integrates with external tools to enhance your incident response workflow. Connect Slack for real-time team communication, Jira for task and issue tracking, share threat intelligence via TAXII 2.1 and MISP feeds, enrich IOCs with external providers, and configure log forwarding for compliance monitoring.
Slack Integration
When enabled, Slack integration allows:
- Automatic channel creation - A dedicated Slack channel is created for each case, giving your team an instant communication space tied to the investigation
- Real-time message sync - Messages posted in Slack appear in DFIRe's Collaboration tab, and vice versa, keeping all communication in context
- Pushpin capture - React with a pushpin emoji to capture messages or files directly to the case as evidence or notes
- Slash commands - Use /dfire slash commands in Slack for quick actions without leaving your chat workspace
Configuration
Slack integration requires a Slack App configured with the Events API. The following settings are available in the DFIRe administration panel:
- Slack App Token - The application-level token for your Slack App
- Bot Token - The bot user OAuth token used for API calls
- Signing Secret - Used to verify that incoming requests originate from Slack
- Channel Prefix - A prefix applied to all automatically created channel names (e.g., "dfire-")
- Default Channel Template - The naming template for new channels, typically incorporating the case number
The Collaboration tab on each case connects directly to the corresponding Slack channel, providing a unified view of all team communication related to that case.
Slack integration uses the Events API for real-time message syncing. Messages appear in DFIRe within seconds.
Jira Integration
When enabled, Jira integration allows:
- Issue linking - Link cases to Jira issues with clickable references that open directly in Jira
- Issue creation - Create Jira issues directly from incident actions without leaving DFIRe
- Status sync - Sync action status between DFIRe and Jira to keep both systems up to date
- Issue tracking - Track Jira issue keys on case cards and in the case header for quick reference
Configuration
The following settings are required to connect DFIRe to your Jira instance:
- Jira Instance URL - The base URL of your Jira instance (e.g., https://yourorg.atlassian.net)
- API Token - An API token generated from your Jira account for authentication
- Project Key - The default Jira project key where new issues are created
- Issue Type mapping - Maps DFIRe action types to Jira issue types
Cases show a Jira badge in the header when linked to an issue. The Actions tab has a "Sync Jira" button for bulk synchronization and individual "Create Jira Item" links on each action for granular control.
Each case can be linked to one Jira issue. The Jira badge appears in the case header and on the Dashboard case card.
Log Integration
DFIRe can forward the complete application audit log to external SIEM or log management systems. The primary purpose is to ensure the audit log is available even on system failure, and to enable auditing of user actions without risk of log tampering on system compromise.
What Is Forwarded
The audit log is sent in full — all application-level events are forwarded, including case lifecycle events, evidence handling, user actions, and configuration changes. There is no filtering by event type; the entire audit log is forwarded or not forwarded at all. The audit log does not contain system-level log events (e.g., OS logs, container logs).
Transport
Logs are sent as HTTPS POST requests in JSON batch format to a configurable endpoint. Authentication is supported via HTTP Basic Auth or custom HTTP headers (e.g., Bearer tokens). Connection reliability is managed through configurable batch size, timeout, retry count, and circuit breaker threshold.
Log forwarding runs asynchronously via background tasks and does not impact application performance. Events are delivered at-least-once with automatic retry on failure. When enabling, you can choose to send all historical logs or only forward new entries.
Threat Intelligence Sharing
DFIRe can share published IOC indicators with external systems through two standard protocols:
TAXII 2.1 Server
DFIRe includes a built-in read-only TAXII 2.1 server that serves published indicators as STIX 2.1 objects. External threat intelligence platforms can subscribe to DFIRe collections to receive indicator updates.
- Standards-based: Full TAXII 2.1 compliance (discovery, API root, collections, objects, manifest)
- Collection-based: Organize indicators into collections for selective sharing
- API key authentication: Secure access with configurable API keys
- TLP enforcement: TLP:RED indicators are never published
MISP-Compatible Feed
DFIRe can generate a MISP-compatible JSON feed that can be consumed by MISP instances and other tools that support the MISP feed format.
- Per-TLP events: Indicators grouped by TLP level into separate MISP events
- Automatic updates: Feed regenerated as indicators are published or revoked
- Standard format: Compatible with MISP pull feeds
See Indicators of Compromise for detailed documentation on IOC sharing, TAXII configuration, and MISP feed setup.
IOC Enrichment Providers
DFIRe integrates with external threat intelligence services to automatically enrich indicators with additional context. Supported providers include:
- Built-in: DNS resolution, WHOIS lookup (no API key required)
- Threat Intelligence: VirusTotal, Shodan, AlienVault OTX, URLhaus, ThreatFox, MalwareBazaar, urlscan.io
- Reputation: AbuseIPDB, Google Safe Browsing, GreyNoise
Configure API keys in Settings > IOC Enrichment. See Indicators of Compromise - Enrichment for details on each provider.
Webhook Integration
DFIRe also supports outgoing webhooks for event-driven automation. Webhooks allow you to trigger external workflows, notify third-party services, and build custom integrations based on DFIRe events.
See the dedicated Webhooks documentation for detailed webhook configuration, payload formats, and delivery management.