Detection intelligence turbocharged with AI, DetectFlow addresses slow cyberattack detection by enabling line-speed analysis using AI trained on extensive historical data. It targets security operations teams and engineers, offering sub-second Mean Time To Detect (MTTD) and transforming daily work from SIEM tuning to comprehensive detection orchestration across diverse data pipelines.

How It Works

This project utilizes Apache Flink for real-time stream processing and Apache Kafka for data ingestion. It tags events in-flight with metadata from Sigma detection rules, sourced optionally from the SOC Prime Platform or GitHub repositories, before they reach SIEMs. This approach allows for sub-second MTTD, scales rule capacity by 10x on existing infrastructure, and operates without requiring changes to the current SIEM ingestion architecture.

Quick Start & Requirements

• Primary install/run command: Deployment is managed via Kubernetes manifests and requires expertise in Kubernetes administration.
• Non-default prerequisites: Apache Kafka 3.8+, Kubernetes 1.28+, PostgreSQL 14+, Apache Flink 1.13+, Cert Manager, Helm. Requires a Kubernetes cluster with at least 3 nodes (min 8 vCPUs, 32 GiB RAM each). Outbound internet access is optional for cloud synchronization.
• Links: Kafka (https://kafka.apache.org/), Kubernetes (https://kubernetes.io/), Flink (https://flink.apache.org/), Cert Manager (https://cert-manager.io/docs/installation/), Flink Kubernetes Operator (https://nightlies.apache.org/flink/flink-kubernetes-operator-docs-main/docs/operations/helm/).

Highlighted Details

• Sub-second MTTD: Achieves detection times between 0.005–0.01 seconds.
• Enhanced Rule Capacity: Enables 10x rule capacity on existing infrastructure.
• Real-time Operations: Features a live Dashboard for pipeline monitoring and Pipeline Management for creating/configuring ETL processes.
• Hot-Reload Support: Allows updating rules, filters, and parsers without restarting pipelines, ensuring zero downtime for these changes.

Maintenance & Community

The provided README does not detail community channels (e.g., Discord, Slack), notable contributors, sponsorships, or a public roadmap. It mentions integration with the SOC Prime Platform for rule synchronization.

Licensing & Compatibility

• License type: Dual licensing: European Union Public License (EUPL) v1.2 and a SOC Prime Commercial License. Users must select the appropriate license based on their intended use.
• Compatibility: No explicit restrictions mentioned for commercial use or closed-source linking beyond the license terms.

Limitations & Caveats

Deployment demands significant Kubernetes and infrastructure expertise. The system comprises multiple interdependent services (Backend, UI, MatchNode, Schema Parser). Optional features like cloud rule synchronization necessitate internet access and API keys.