Skip to content
KYRA MDR Documentation

Detection Content Lifecycle Management

Detection Content Lifecycle Management

Overview

This document defines the complete lifecycle for detection content within the KYRA AI MDR platform, including rules, threat hunting queries, analytics, and ML models. The lifecycle ensures quality, consistency, and operational excellence across all detection capabilities.

Lifecycle States

1. Development

State: DEVELOPMENT Duration: Variable (typically 1-4 weeks) Ownership: Detection Engineering Team

Activities:

  • Initial rule/query creation
  • Basic syntax validation
  • Unit testing against known datasets
  • MITRE ATT&CK mapping
  • Initial documentation

Requirements:

  • Valid detection logic
  • MITRE ATT&CK technique mapping
  • Basic metadata (severity, description, author)
  • Test cases with expected outcomes
  • False positive assessment

Exit Criteria:

  • All unit tests pass
  • Peer review completed
  • Security review approved
  • Documentation complete

2. Testing

State: TESTING Duration: 1-2 weeks Ownership: Detection Engineering + QA Teams

Activities:

  • Integration testing in staging environment
  • Performance impact assessment
  • False positive rate measurement
  • Tuning and optimization
  • Threat actor simulation testing

Requirements:

  • Run against 30-day historical dataset
  • Performance metrics within SLA bounds
  • False positive rate < 5% for Critical/High severity
  • False positive rate < 10% for Medium/Low severity
  • Load testing completed
  • Integration with alerting pipeline verified

Performance SLA:

  • Query execution time: < 30 seconds (hunt queries)
  • Real-time detection latency: < 5 seconds

Exit Criteria:

  • All performance tests pass
  • False positive rate within acceptable limits
  • Integration tests successful
  • QA sign-off obtained

3. Staging

State: STAGING Duration: 1 week Ownership: Detection Engineering + SOC Teams

Activities:

  • Deploy to staging environment
  • SOC analyst validation
  • Customer preview (Enterprise tier only)
  • Final tuning based on real-world data
  • Runbook creation

Requirements:

  • SOC playbook created/updated
  • Alert routing configured
  • Escalation procedures defined
  • Customer communication prepared
  • Rollback procedures validated

Exit Criteria:

  • SOC team approval
  • Customer feedback incorporated (if applicable)
  • Production deployment plan approved
  • Change control board approval

4. Production

State: PRODUCTION Duration: Ongoing Ownership: SOC + Detection Engineering Teams

Activities:

  • Active monitoring and alerting
  • Performance tracking
  • False positive monitoring
  • Effectiveness measurement
  • Customer feedback collection

Monitoring Requirements:

  • Alert volume trending
  • False positive rate tracking
  • True positive validation
  • Performance metrics monitoring
  • Customer satisfaction scores

SLA Commitments:

  • Alert processing time: < 5 minutes
  • False positive response: < 4 hours
  • Rule modification time: < 24 hours
  • Critical issue resolution: < 2 hours

5. Deprecated

State: DEPRECATED Duration: 90 days (deprecation window) Ownership: Detection Engineering Team

Activities:

  • Customer notification (60-day advance notice)
  • Migration path provision
  • Gradual traffic reduction
  • Performance impact monitoring
  • Documentation updates

Deprecation Triggers:

  • Better detection available
  • High false positive rate (>15% sustained)
  • Performance issues unresolvable
  • Threat landscape changes
  • Detection no longer applicable

Requirements:

  • Customer notification sent
  • Migration documentation provided
  • Alternative solutions identified
  • Impact analysis completed
  • Sunset timeline established

6. Retired

State: RETIRED Duration: Permanent Ownership: Data Retention Team

Activities:

  • Rule deactivation
  • Historical data retention
  • Documentation archival
  • Audit trail preservation
  • Knowledge base updates

Approval Workflow

Stage Gates

graph TD
    A[Development] --> B[Peer Review]
    B --> C[Security Review]
    C --> D[Testing]
    D --> E[QA Approval]
    E --> F[Staging]
    F --> G[SOC Approval]
    G --> H[Change Control Board]
    H --> I[Production]
    I --> J[Monitoring]
    J --> K{Performance OK?}
    K -->|Yes| J
    K -->|No| L[Tuning]
    L --> D
    J --> M[Deprecation Review]
    M --> N[Deprecated]
    N --> O[Retired]

Approval Matrix

StageReviewerAuthoritySLA
Development → TestingDetection EngineerPeer Review2 days
Development → TestingSecurity TeamSecurity Review3 days
Testing → StagingQA TeamQuality Approval2 days
Staging → ProductionSOC ManagerOperational Readiness1 day
Staging → ProductionChange Control BoardProduction Deployment3 days
Production → DeprecatedDetection ManagerLifecycle Decision5 days

Emergency Fast-Track Process

For critical threat responses:

  • Security incident declared by SOC Manager
  • Accelerated approval by CISO delegate
  • Parallel testing in production environment
  • 24-hour post-deployment review

Requirements:

  • Written justification
  • Risk assessment
  • Monitoring plan
  • Rollback procedure

Testing Requirements

Unit Testing

Coverage: 90% minimum Test Cases:

  • Positive detection scenarios
  • Negative scenarios (should not trigger)
  • Edge cases and boundary conditions
  • Input validation
  • Error handling

Integration Testing

Environment: Staging with production-like data Duration: 7 days minimum Metrics:

  • Alert volume
  • False positive rate
  • Performance impact
  • Resource utilization

Performance Testing

Scenarios:

  • Peak load simulation (10x normal volume)
  • Sustained load testing (24-hour duration)
  • Memory leak detection
  • Resource exhaustion testing

A/B Testing

Traffic Split: 10% initial, 50% after 24 hours, 100% after 72 hours Metrics:

  • Detection effectiveness
  • False positive rate comparison
  • Performance delta
  • Customer satisfaction impact

Deprecation Process

60-Day Notice Period

Customer Communications:

  • Email notification to security contacts
  • In-app notification banners
  • Documentation updates

Technical Preparations:

  • Alternative solution validation
  • Migration tools and guidance
  • Documentation updates
  • Training materials

30-Day Warning Period

Escalated Communications:

  • Direct outreach to high-usage customers
  • Webinar sessions for migration guidance
  • Support ticket proactive creation
  • Account manager engagement

Technical Validations:

  • Migration path testing
  • Performance impact assessment
  • Rollback capability verification
  • Support runbook updates

Deprecation Window (90 Days)

Gradual Reduction:

  • Week 1-4: 100% functionality, warnings enabled
  • Week 5-8: 75% traffic routing, alternatives promoted
  • Week 9-12: 50% traffic routing, migration prompts
  • Week 13: Complete deactivation

Support Activities:

  • Migration assistance
  • Performance monitoring
  • Issue resolution
  • Success metrics tracking

Performance Monitoring

Real-Time Metrics

Detection Performance:

  • Alert generation rate (alerts/minute)
  • Processing latency (p95, p99)
  • False positive rate (hourly)
  • True positive rate (daily)
  • Coverage effectiveness (weekly)

System Performance:

  • CPU utilization per rule
  • Memory consumption per rule
  • Disk I/O impact
  • Network bandwidth usage
  • Query execution time

Business Metrics:

  • Time to detection (TTD)
  • Mean time to acknowledgment (MTTA)
  • Customer satisfaction score
  • Rule adoption rate
  • Support ticket volume

Monitoring Thresholds

MetricWarningCriticalAction
False Positive Rate8%15%Auto-disable
Processing Latency10s30sAlert engineering
Query Timeout Rate2%5%Performance tuning

Escalation Matrix

  • Warning: 15 minutes → Detection engineer
  • Critical: 5 minutes → On-call engineer
  • Extended critical: 30 minutes → Engineering manager
  • Sustained issues: 2 hours → VP Engineering

Performance Dashboards

  1. Detection Health Overview

    • Rule performance summary
    • Alert volume trends
    • False positive rates
    • System resource usage

  2. Rule-Specific Performance

    • Individual rule metrics
    • Historical performance trends
    • Comparative analysis
    • Optimization recommendations

  3. Customer Impact View

    • Per-tenant metrics
    • SLA compliance
    • Customer satisfaction trends
    • Support impact correlation

Automated Performance Actions

Auto-scaling Triggers:

  • CPU usage > 80% for 10 minutes
  • Memory usage > 90% for 5 minutes
  • Queue depth > 1000 items
  • Processing latency > p99 threshold

Auto-remediation Actions:

  • Rule temporary disable (FP rate > 20%)
  • Resource allocation increase
  • Traffic load balancing

Performance Review Cycle

Weekly Reviews:

  • Rule performance assessment
  • Resource utilization analysis
  • Customer impact evaluation
  • Optimization opportunities

Monthly Reviews:

  • Lifecycle state evaluations
  • Deprecation candidates identification
  • Performance trend analysis
  • Capacity planning updates

Quarterly Reviews:

  • Complete rule portfolio assessment
  • Platform optimization review
  • Customer feedback integration
  • Strategic roadmap alignment

AI-Assisted Lifecycle Management

The platform uses AI to enhance detection lifecycle management:

  • Automated Rule Effectiveness Analysis: Continuous evaluation of detection performance
  • False Positive Pattern Detection: Identification of systemic false positive causes
  • Optimization Recommendations: AI-generated suggestions for rule tuning
  • Natural Language Rule Explanations: Plain-language descriptions of detection logic for SOC analysts

Compliance and Audit

Audit Trail Requirements

Tracked Events:

  • All lifecycle state transitions
  • Approval decisions with justification
  • Performance threshold breaches
  • Customer impact incidents
  • Emergency fast-track usage

Retention Policy:

  • Audit logs: 7 years
  • Performance metrics: 2 years
  • Customer feedback: 5 years
  • Rule content: Indefinite (versioned)

Compliance Frameworks

SOC 2 Type II:

  • Change management controls
  • Performance monitoring evidence
  • Customer communication audit trail
  • Access control documentation

ISO 27001:

  • Risk assessment documentation
  • Security review evidence
  • Incident response integration
  • Continuous improvement tracking

Reporting Requirements

Monthly Reports:

  • Rule lifecycle summary
  • Performance trending
  • Customer satisfaction metrics
  • Compliance status

Quarterly Reports:

  • Complete portfolio review
  • ROI analysis
  • Strategic recommendations

Success Metrics

Quality Metrics

  • False positive rate < 10% (overall)
  • True positive rate > 90% (validated alerts)
  • Time to detection < 5 minutes (critical threats)
  • Rule accuracy improvement over time

Operational Metrics

  • Lifecycle compliance rate > 95%
  • SLA adherence > 99%
  • Customer satisfaction > 4.5/5
  • Support ticket reduction year-over-year

Business Metrics

  • Detection coverage increase
  • Mean time to value (new rules)
  • Customer retention correlation
  • Revenue impact per rule improvement

Document Version: 1.0 Last Updated: 2024 Next Review: Quarterly Owner: Detection Engineering Team Approver: VP of Engineering, CISO