Design and implement a detection engine that matches security telemetry events against configurable rules. Focused on your design thinking, architecture decisions, and problem-solving approach.
The Problem
Engine Behavior
Input:
List of rules
List of events
When event matches rule: ALERT: Event [event_id] matched Rule [rule_id]
Each rule evaluates against an individual event
Telemetry Events
Security events containing indicators:
Event ID: Unique identifier
Indicators: One or more of: FileName, Sha1, Md5, IP, Domain (all strings)
Constraint: Each indicator type appears only once per event
Example Event:
{
"eventId": "evt_001",
"fileName": "suspicious.exe",
"sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"ip": "192.168.1.100"
}

Detection Rules
Rules that define matching logic:
Rule ID: Unique identifier
Detection Expression: Built from indicator conditions using the structure below
Expression Structure:
Simple Expression: [IndicatorType] [Operator] [Value]
IndicatorType: FileName, Sha1, Md5, IP, Domain
Operator: Equals, Contains, StartsWith
Value: String to match against
Complex Expression: Built using simple expressions and boolean operators: AND, OR
Expression Examples:
Simple:
(FileName Contains 'malware')
Complex:
((FileName Equals 'virus.exe') AND (IP StartsWith '192.168'))
((Domain Contains 'malicious') OR (Sha1 Equals 'abc123'))
Important Implementation Note on Rule Structure:
The examples above are for illustration only. You do not need to parse these string expressions. Instead, design your rule structure - Choose the data structure that makes the most sense for your
implementation.
Matching Examples
Example 1 - MATCH:
Event: {"eventId": "evt_001", "fileName": "suspicious.exe", "ip": "192.168.1.100"}
Rule: (FileName Contains 'suspicious')
Output: ALERT: Event evt_001 matched Rule rule_001
Example 2 - MATCH:
Event: {"eventId": "evt_002", "fileName": "clean.exe", "ip": "192.168.1.50", "domain": "safe.com"}
Rule: ((IP StartsWith '192.168') AND (Domain Equals 'safe.com'))
Output: ALERT: Event evt_002 matched Rule rule_002
Example 3 - NO MATCH:
Event: {"eventId": "evt_003", "fileName": "document.pdf", "sha1": "xyz789"}
Rule: (FileName Contains 'exe')
Output: No alert (document.pdf does not contain 'exe')
Your Approach
1. Design: Explain your class structure and component interactions
2. Implement: Build the core matching engine
3. Discuss: How would you scale or extend this?

Question

Design and implement a detection engine that matches security telemetry events against configurable rules. Focused on your design thinking, architecture decisions, and problem-solving approach.
The Problem
Engine Behavior
Input:
List of rules
List of events
When event matches rule: ALERT: Event [event_id] matched Rule [rule_id]
Each rule evaluates against an individual event
Telemetry Events
Security events containing indicators:
Event ID: Unique identifier
Indicators: One or more of: FileName, Sha1, Md5, IP, Domain (all strings)
Constraint: Each indicator type appears only once per event
Example Event:
{
"eventId": "evt_001",
"fileName": "suspicious.exe",
"sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"ip": "192.168.1.100"
}

Detection Rules
Rules that define matching logic:
Rule ID: Unique identifier
Detection Expression: Built from indicator conditions using the structure below
Expression Structure:
Simple Expression: [IndicatorType] [Operator] [Value]
IndicatorType: FileName, Sha1, Md5, IP, Domain
Operator: Equals, Contains, StartsWith
Value: String to match against
Complex Expression: Built using simple expressions and boolean operators: AND, OR
Expression Examples:
Simple:
(FileName Contains 'malware')
Complex:
((FileName Equals 'virus.exe') AND (IP StartsWith '192.168'))
((Domain Contains 'malicious') OR (Sha1 Equals 'abc123'))
Important Implementation Note on Rule Structure:
The examples above are for illustration only. You do not need to parse these string expressions. Instead, design your rule structure - Choose the data structure that makes the most sense for your
implementation.
Matching Examples
Example 1 - MATCH:
Event: {"eventId": "evt_001", "fileName": "suspicious.exe", "ip": "192.168.1.100"}
Rule: (FileName Contains 'suspicious')
Output: ALERT: Event evt_001 matched Rule rule_001
Example 2 - MATCH:
Event: {"eventId": "evt_002", "fileName": "clean.exe", "ip": "192.168.1.50", "domain": "safe.com"}
Rule: ((IP StartsWith '192.168') AND (Domain Equals 'safe.com'))
Output: ALERT: Event evt_002 matched Rule rule_002
Example 3 - NO MATCH:
Event: {"eventId": "evt_003", "fileName": "document.pdf", "sha1": "xyz789"}
Rule: (FileName Contains 'exe')
Output: No alert (document.pdf does not contain 'exe')
Your Approach
1. Design: Explain your class structure and component interactions
2. Implement: Build the core matching engine
3. Discuss: How would you scale or extend this?

Sedric

Pergunta de entrevista da empresa Sedric

Empresas seguidas

Buscas de vagas