Detection Rules

The Detection Rules page manages threat detection logic that runs continuously against ingested log and network flow data. Rules automatically generate alerts and escalate critical threats to incidents.

Detection Pipeline

Events (OpenSearch) → Detection Engine (60s cycle) → Alert → AI Assessment → Incident
      ↑                       ↑                                                  ↑
  3.3M syslog events    153 active rules                              Critical/High only
  21M+ network flows    Adaptive skip (98% query reduction)           1 per rule per 24h

How It Works

Detection Engine runs every 60 seconds, checking all ACTIVE rules
Each rule query is executed against OpenSearch (events-* for syslog, network-logs-* for NDR)
When matches are found, an Alert is created with deduplication (same rule+target = merged within 24h)
Critical and High severity matches automatically create an Incident (1 per rule per 24h)
New alerts and rules are automatically assessed by Dual AI Agents (Global Threat Intel + Internal SOC)

Adaptive Performance

The engine uses adaptive skip to avoid querying rules that never match:

Rules with 0 consecutive matches: checked every 5 cycles (~5 min)
Rules with 10+ consecutive zeros: checked every 15 cycles (~15 min)
Full recheck of all rules: every 30 cycles (~30 min)
Result: 98% fewer OpenSearch queries (28 checked vs 153 total per cycle)

Data Sources

Each rule targets one of two data sources, shown in the Source column:

Source	Index	Data	Volume
Log (green badge)	`events-*`	Syslog, auditd, SSH, sudo, IDS, DNS, mail, web server	3.3M+ events
Network (blue badge)	`network-logs-*`	TCP/UDP/ICMP flows, ports, bytes, flags, protocol	21M+ flows

Rule Table

Columns

Column	Description
Rule Name	Name with i18n support (EN/KO/JA from JSONB)
Source	Log (syslog) or Network (NDR) — auto-detected from query
Type	SIGMA, CORRELATION, ANOMALY, CLOUD
Severity	critical, high, medium, low (color-coded)
Status	ACTIVE, DRAFT, STAGED, DEPRECATED, ARCHIVED
MITRE	ATT&CK technique ID (e.g., T1110.001)
Triggers	Total match count (clickable → shows detection results)
AI	Dual agent classification + confidence % (click for details)
Actions	Test, AI Assess, Edit, Enable/Disable, Delete

Pagination

Server-side pagination with 50 rules per page. Supports:

Search: Full-text across name, description, query, MITRE tactic/technique
Filters: By severity, status, rule type
Sort: By trigger count (default), name, severity

Query Syntax

Rules use a query language that the Detection Engine translates to OpenSearch DSL:

# Field matching (= or : syntax)
source=syslog                          → term query
hostname=fw-prod-01                    → term query
protocol_num=6                         → term query

# Literal text search (matches raw_log)
"Failed password"                      → match_phrase on raw_log
"SYSCALL" "exe=" source=syslog         → multiple match_phrase + term

# Comparisons
bytes > 10240                          → range query (gt)
destination_port > 8000                → range query (gt)
payload_len=0                          → term query

# Negation
NOT source=internal                    → must_not

# Multiple values
status IN ("open","closed")            → terms query

# Pipe sections (ignored in count mode)
source=syslog program=sshd "Failed password" | stats count by src_ip | where count > 20

Safety

If a query produces no parseable filter conditions (only tenant + time range), the engine returns match_none to prevent false positive matches on all events.

Rule Lifecycle

DRAFT → STAGED → ACTIVE → DEPRECATED → ARCHIVED
  ↑                  ↓
  └── (rollback) ────┘

Enable button: Directly activates (DRAFT → ACTIVE, skipping STAGED)
Disable button: Moves to DEPRECATED from any state
Re-enable: DEPRECATED → ACTIVE (direct)
Delete: Only allowed for non-ACTIVE rules (disable first)

AI Assessment

Each rule can be assessed by the Dual AI Agent system:

Agent	Perspective
Global Threat Intel	External threat landscape, CVE database, known attack patterns
Internal SOC	Organization-specific risk, asset criticality, historical incidents

Assessment produces:

Classification: CRITICAL, HIGH, MEDIUM, LOW, FALSE_POSITIVE
Confidence: 0–100%

Auto-assessment triggers when a rule creates a new alert. Manual assessment via the sparkle (✨) icon.

Multilingual Support (i18n)

Rule names and descriptions are stored as JSONB with per-language translations:

{
  "name_i18n": {"ko": "SSH 무차별 대입 공격 탐지", "ja": "SSHブルートフォース攻撃検出"},
  "description_i18n": {"ko": "SSH 로그인 실패 이벤트를 탐지합니다", "ja": "SSHログイン失敗イベントを検出します"}
}

The console displays the user’s selected language. The create/edit dialog includes KO/JA translation fields.

Detection Results

Click a rule’s trigger count to view matched detections:

Field	Description
Alert	Linked alert ID (clickable → alert detail)
Hits	Number of matching events in the detection window
Query	OpenSearch query executed
Time Window	Start – end of the detection period
Detected	Timestamp of detection

Example Rules

Syslog / EDR Rules

Rule	Query	Severity	MITRE
SSH Brute Force	`"Failed password" source=syslog`	high	T1110.001
Root Login Attempt	`"Failed password for root" source=syslog`	critical	T1078.003
Sudo Shell Execution	`"COMMAND=/bin/bash" source=syslog`	high	T1059.004
CRON Job Activity	`"CRON" source=syslog`	medium	T1053.003
PAM Auth Failure	`"pam_unix" "authentication failure" source=syslog`	medium	T1556

Network / NDR Rules

Rule	Query	Severity	MITRE
TCP SYN Scan	`tcp_flags=2 payload_len=0 source=ndr`	high	T1046
Network Beaconing	`protocol_num=6 bytes > 100 source=ndr`	high	T1071.001
Large Data Transfer	`bytes > 10240 source=ndr`	high	T1041
ICMP Ping Sweep	`protocol_num=1 bytes > 0 source=ndr`	medium	T1018
DNS Over TCP	`destination_port=53 protocol_num=6 source=ndr`	high	T1071.004

Access Requirements

Detection Rules require the Respond (MDR) tier or above.