Detection Rules

此内容尚未提供中文翻译。

The Detection Rules page manages 233 active detection rules covering 115 MITRE ATT&CK techniques. Rules run continuously against ingested log and network flow data, automatically generating alerts and escalating critical threats to incidents.

Detection Pipeline

Events (OpenSearch) → Detection Engine (5 min cycle) → Alert → AI Assessment → Incident
      ↑                       ↑                                                  ↑
  Log + Network data    233 active rules                              Critical/High only
                        4 rule types                                  1 per rule per 24h

How It Works

Detection Engine runs every 5 minutes, checking all ACTIVE rules
Each rule query is executed against OpenSearch (events-* for syslog, network-logs-* for NDR)
When matches are found, an Alert is created with deduplication (same rule+target = merged within 24h)
Critical and High severity matches automatically create an Incident (1 per rule per 24h)
New alerts and rules are automatically assessed by Dual AI Agents (Global Threat Intel + Internal SOC)

Rule Types

Type	Description
SIGMA	Standard SIGMA-format rules translated to OpenSearch DSL
CORRELATION	Rules that correlate multiple events across time windows
ANOMALY	Baseline deviation detection using statistical thresholds
CLOUD	Cloud-specific rules for AWS, Azure, and GCP audit logs

MITRE ATT&CK Filtering

Rules are mapped to the MITRE ATT&CK framework. The filter bar provides two searchable selects:

Tactic — 14 items (Initial Access, Execution, Persistence, etc.) with search input
Technique — Filtered list of techniques with search input

Selecting a tactic filters the technique dropdown to show only techniques under that tactic. Selecting a technique auto-sets the corresponding tactic. This linked filtering works in both directions.

Rule Table

Columns

Column	Description
Rule Name	Name with i18n support (EN/KO/JA from JSONB)
Source	Log (syslog) or Network (NDR) — auto-detected from query
Type	SIGMA, CORRELATION, ANOMALY, CLOUD
Severity	critical, high, medium, low (color-coded)
Status	ACTIVE, DRAFT, DISABLED
MITRE	ATT&CK technique ID (e.g., T1110.001)
Triggers	Total match count (clickable → shows detection results)
AI	Dual agent classification + confidence % (click for details)
Actions	Test, AI Assess, Edit, Enable/Disable, Delete

Pagination

Server-side pagination with 50 rules per page. Supports:

Search: Full-text across name, description, query, MITRE tactic/technique
Filters: By severity, status, rule type, MITRE tactic, MITRE technique
Sort: By trigger count (default), name, severity

Rule Lifecycle

DRAFT → ACTIVE → DISABLED
  ↑                  ↓
  └── (re-enable) ───┘

DRAFT — Rule is being authored or tested. Editable.
ACTIVE — Rule is running in the detection engine. Cannot be edited directly; must be disabled first.
DISABLED — Rule is inactive. Can be edited and re-enabled.
Delete — Only allowed for non-ACTIVE rules (disable first)

To modify an active rule, disable it, make changes, then re-enable.

Export

Detection rules can be exported via the API:

GET /api/v1/export/detection-rules

Supported formats: CSV and JSON. The export includes rule name, type, severity, status, MITRE mapping, and query.

AI Assessment

Each rule can be assessed by the Dual AI Agent system:

Agent	Perspective
Global Threat Intel	External threat landscape, CVE database, known attack patterns
Internal SOC	Organization-specific risk, asset criticality, historical incidents

Assessment produces:

Classification: CRITICAL, HIGH, MEDIUM, LOW, FALSE_POSITIVE
Confidence: 0–100%

Auto-assessment triggers when a rule creates a new alert. Manual assessment via the sparkle icon.

Multilingual Support (i18n)

Rule names and descriptions are stored as JSONB with per-language translations for Korean and Japanese:

{
  "name_i18n": {"ko": "SSH 무차별 대입 공격 탐지", "ja": "SSHブルートフォース攻撃検出"},
  "description_i18n": {"ko": "SSH 로그인 실패 이벤트를 탐지합니다", "ja": "SSHログイン失敗イベントを検出します"}
}

The console displays the user’s selected language. The create/edit dialog includes KO/JA translation fields.

Detection Results

Click a rule’s trigger count to view matched detections:

Field	Description
Alert	Linked alert ID (clickable → alert detail)
Hits	Number of matching events in the detection window
Query	OpenSearch query executed
Time Window	Start – end of the detection period
Detected	Timestamp of detection

Access Requirements

Detection Rules require the Respond (MDR) tier or above.