Sedric interview questions

Design and implement a detection engine that matches security telemetry events against configurable rules. Focused on your design thinking, architecture decisions, and problem-solving approach. The Problem Engine Behavior Input: List of rules List of events When event matches rule: ALERT: Event [event_id] matched Rule [rule_id] Each rule evaluates against an individual event Telemetry Events Security events containing indicators: Event ID: Unique identifier Indicators: One or more of: FileName, Sha1, Md5, IP, Domain (all strings) Constraint: Each indicator type appears only once per event Example Event: { "eventId": "evt_001", "fileName": "suspicious.exe", "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "ip": "192.168.1.100" } Detection Rules Rules that define matching logic: Rule ID: Unique identifier Detection Expression: Built from indicator conditions using the structure below Expression Structure: Simple Expression: [IndicatorType] [Operator] [Value] IndicatorType: FileName, Sha1, Md5, IP, Domain Operator: Equals, Contains, StartsWith Value: String to match against Complex Expression: Built using simple expressions and boolean operators: AND, OR Expression Examples: Simple: (FileName Contains 'malware') Complex: ((FileName Equals 'virus.exe') AND (IP StartsWith '192.168')) ((Domain Contains 'malicious') OR (Sha1 Equals 'abc123')) Important Implementation Note on Rule Structure: The examples above are for illustration only. You do not need to parse these string expressions. Instead, design your rule structure - Choose the data structure that makes the most sense for your implementation. Matching Examples Example 1 - MATCH: Event: {"eventId": "evt_001", "fileName": "suspicious.exe", "ip": "192.168.1.100"} Rule: (FileName Contains 'suspicious') Output: ALERT: Event evt_001 matched Rule rule_001 Example 2 - MATCH: Event: {"eventId": "evt_002", "fileName": "clean.exe", "ip": "192.168.1.50", "domain": "safe.com"} Rule: ((IP StartsWith '192.168') AND (Domain Equals 'safe.com')) Output: ALERT: Event evt_002 matched Rule rule_002 Example 3 - NO MATCH: Event: {"eventId": "evt_003", "fileName": "document.pdf", "sha1": "xyz789"} Rule: (FileName Contains 'exe') Output: No alert (document.pdf does not contain 'exe') Your Approach 1. Design: Explain your class structure and component interactions 2. Implement: Build the core matching engine 3. Discuss: How would you scale or extend this?