[Detections][Discuss] Detection engine tech debt/refactor opportunities #80792
Labels
Feature:Detection Rules
Security Solution rules and Detection Engine
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
technical debt
Improvement of the software architecture and operational architecture
Summary
Now with 6 different rule types in the detection engine we've accumulated some tech debt. Below are areas that I think we can refactor to reduce maintenance burden and make the detection engine easier to reason about.
High level goals:
Reduce data structure duplication by moving towards a single source of truth for schemas
signalSchema
,RuleTypeParams
, andRulesSchema
. A single schema should represent rules and should be used as the basis for derivative schemas (for example, the rule APIs return a flattened version of the rule in the response - this flattened schema can be defined in terms of the source of truth so we avoid duplication)signalSchema
for validation, but then use the params as typeRuleTypeParams
which is defined independently. Some fields are defined withschema.nullable
insignalSchema
, but the corresponding field inRuleTypeParams
is possiblyundefined
notnull
. This can lead to some unexpected behavior withnull
values showing up in rules and eventually in signals created by those rules.Pick
orOmit
on the source of truth so it's easy to update and clear when fields are included/omitted.searchAfterAndBulkCreate
, among others. Often many of these parameters are then passed through to other functions inside. This makes it hard to add new fields to rules since every function definition on the call stack has to be modified to pass each field through. Passing the entire rule through as a single unit makes it easier to add new fields, and IMO easier to reason about where each parameter comes from.Establish clear divisions between rule types by creating separate schemas for each rule type, merged (via union) into the single source of truth
KQLRuleParams
,EQLRuleParams
,ThreatRuleParams
, etc. The overall rule params schema then becomesKQLRuleParams | EQLRuleParams | ThreatRuleParams | ...
.type
of the rulethreshold
is required for threshold rules, therefore it is optional in the complete rule schema). This means we have a number of functions that do some additional validation based on thetype
when creating/updating rules, ensuring that these optional fields are there when required. However, these functions have to be maintained in sync with the schema and add complexity which is hard to reason about.I propose that the single source of truth is the rule SO data structure, which in turn is represented using a union of the individual rule types. The schemas for the various create/update/patch requests would be defined separately and should be the few places where we see some schema duplication due to the need for setting defaults for certain fields in the routes. However, unit tests can verify that the output from decoding with the create/update/patch schemas is a valid rule by following up with a decode using the source of truth rule schema. This ensures that the route schemas stay in sync with the source of truth.
Prior refactoring art
The text was updated successfully, but these errors were encountered: