Phase 3 Sprint 3.1 - Processing Schema Architecture
Summary
A dedicated telemetry processing validator package now enforces strict canonical payload schema and MITRE mapping validity before queue publish.
Threat Model
- Prevent malformed or semantically invalid telemetry from reaching processing stages.
Attack Vectors Considered
- Additional property injection.
- Missing canonical fields.
- Invalid ATT&CK technique/tactic identifiers.
Mitigations Implemented
- New
services/telemetry_processing/validator.pymodule. - Canonical payload model with strict field allow-list.
- MITRE format validators integrated into ingest flow.
- DLQ routing for canonical schema failures.
Residual Risk
- Schema evolution/versioning is not yet formalized.
Future Improvements
- Add schema version negotiation and migration tooling.
Architecture Diagram
flowchart LR
TG[Telemetry Gateway]
V[Canonical Schema + MITRE Validator]
Q[(Telemetry Queue)]
DLQ[(DLQ)]
TG --> V
V -->|valid| Q
V -->|invalid| DLQ