Cloud Detection enables the MITRE based threat detection for simple cases like for a single event with rule matching or complex scenarios like event correlation across multiple devices. It allows faster rules creation and publishing with real time matching using flink as a streaming system. Doing this in the cloud removes the cumbersome on premise component update, which saves the time for threat analysts and reduces costs for customers.

With Change Data Capture (CDC) and Outbox pattern, we reliably broadcast the threat detection rules from the rule microservice to each parallelism of the Flink job to match threat detection rules against events to promote them to alerts.

We also used Flink’s Complex Event Processing (CEP) to correlate multiple events by detecting certain patterns within a specific time window and generate alerts against detected complex threats corresponding to MITRE tactics.