本文にスキップ
KYRA MDR KYRA MDR Docs

Detection Rules

このコンテンツはまだ日本語に翻訳されていません。

The Detection Rules page manages 233 active detection rules covering 115 MITRE ATT&CK techniques. Rules run continuously against ingested log and network flow data, automatically generating alerts and escalating critical threats to incidents.

Detection Pipeline

Events (OpenSearch) → Detection Engine (5 min cycle) → Alert → AI Assessment → Incident
      ↑                       ↑                                                  ↑
  Log + Network data    233 active rules                              Critical/High only
                        4 rule types                                  1 per rule per 24h

How It Works

  1. Detection Engine runs every 5 minutes, checking all ACTIVE rules
  2. Each rule query is executed against OpenSearch (events-* for syslog, network-logs-* for NDR)
  3. When matches are found, an Alert is created with deduplication (same rule+target = merged within 24h)
  4. Critical and High severity matches automatically create an Incident (1 per rule per 24h)
  5. New alerts and rules are automatically assessed by Dual AI Agents (Global Threat Intel + Internal SOC)

Rule Types

TypeDescription
SIGMAStandard SIGMA-format rules translated to OpenSearch DSL
CORRELATIONRules that correlate multiple events across time windows
ANOMALYBaseline deviation detection using statistical thresholds
CLOUDCloud-specific rules for AWS, Azure, and GCP audit logs

MITRE ATT&CK Filtering

Rules are mapped to the MITRE ATT&CK framework. The filter bar provides two searchable selects:

  • Tactic — 14 items (Initial Access, Execution, Persistence, etc.) with search input
  • Technique — Filtered list of techniques with search input

Selecting a tactic filters the technique dropdown to show only techniques under that tactic. Selecting a technique auto-sets the corresponding tactic. This linked filtering works in both directions.

Rule Table

Columns

ColumnDescription
Rule NameName with i18n support (EN/KO/JA from JSONB)
SourceLog (syslog) or Network (NDR) — auto-detected from query
TypeSIGMA, CORRELATION, ANOMALY, CLOUD
Severitycritical, high, medium, low (color-coded)
StatusACTIVE, DRAFT, DISABLED
MITREATT&CK technique ID (e.g., T1110.001)
TriggersTotal match count (clickable → shows detection results)
AIDual agent classification + confidence % (click for details)
ActionsTest, AI Assess, Edit, Enable/Disable, Delete

Pagination

Server-side pagination with 50 rules per page. Supports:

  • Search: Full-text across name, description, query, MITRE tactic/technique
  • Filters: By severity, status, rule type, MITRE tactic, MITRE technique
  • Sort: By trigger count (default), name, severity

Rule Lifecycle

DRAFT → ACTIVE → DISABLED
  ↑                  ↓
  └── (re-enable) ───┘
  • DRAFT — Rule is being authored or tested. Editable.
  • ACTIVE — Rule is running in the detection engine. Cannot be edited directly; must be disabled first.
  • DISABLED — Rule is inactive. Can be edited and re-enabled.
  • Delete — Only allowed for non-ACTIVE rules (disable first)

To modify an active rule, disable it, make changes, then re-enable.

Export

Detection rules can be exported via the API:

GET /api/v1/export/detection-rules

Supported formats: CSV and JSON. The export includes rule name, type, severity, status, MITRE mapping, and query.

AI Assessment

Each rule can be assessed by the Dual AI Agent system:

AgentPerspective
Global Threat IntelExternal threat landscape, CVE database, known attack patterns
Internal SOCOrganization-specific risk, asset criticality, historical incidents

Assessment produces:

  • Classification: CRITICAL, HIGH, MEDIUM, LOW, FALSE_POSITIVE
  • Confidence: 0–100%

Auto-assessment triggers when a rule creates a new alert. Manual assessment via the sparkle icon.

Multilingual Support (i18n)

Rule names and descriptions are stored as JSONB with per-language translations for Korean and Japanese:

{
  "name_i18n": {"ko": "SSH 무차별 대입 공격 탐지", "ja": "SSHブルートフォース攻撃検出"},
  "description_i18n": {"ko": "SSH 로그인 실패 이벤트를 탐지합니다", "ja": "SSHログイン失敗イベントを検出します"}
}

The console displays the user’s selected language. The create/edit dialog includes KO/JA translation fields.

Detection Results

Click a rule’s trigger count to view matched detections:

FieldDescription
AlertLinked alert ID (clickable → alert detail)
HitsNumber of matching events in the detection window
QueryOpenSearch query executed
Time WindowStart – end of the detection period
DetectedTimestamp of detection

Access Requirements

Detection Rules require the Respond (MDR) tier or above.