本文にスキップ
KYRA MDR KYRA MDR Docs

Detection Content Lifecycle

Overview

KYRA MDR maintains 3,200+ detection rules that continuously monitor your environment for threats. This page explains how detection content is developed, tested, deployed, and retired — so you understand how new threats are covered and how existing rules are maintained.

What is Detection Content?

Detection content includes:

  • Detection Rules — Real-time rules that analyze incoming events and generate alerts (based on Sigma format)
  • Threat Hunting Queries — Proactive search queries used by the Threat Hunting AI to find hidden threats
  • ML Models — Machine learning models for behavioral anomaly detection and false positive filtering

Lifecycle States

Every detection rule goes through a defined lifecycle:

flowchart LR
    DEV[Development] --> TEST[Testing]
    TEST --> STG[Staging]
    STG --> PROD[Production]
    PROD --> DEP[Deprecated]
    DEP --> RET[Retired]

1. Development

Detection engineers create new rules based on:

  • Emerging threat intelligence and new CVEs
  • MITRE ATT&CK technique coverage gaps
  • Customer-reported threats and near-misses
  • Threat landscape changes

Each rule includes MITRE ATT&CK mapping, severity classification, and test cases.

2. Testing

Rules are validated against historical data in a staging environment:

  • Run against 30-day datasets to measure false positive rates
  • Performance impact assessed (detection latency must stay under 5 seconds)
  • False positive rate must be under 5% for Critical/High severity rules and under 10% for Medium/Low

3. Staging

Rules are deployed to a staging environment for final validation:

  • SOC analysts review alert quality and enrichment
  • CUSTOM tier customers can preview new rules before production deployment
  • Response playbooks are created or updated to match the new rule

4. Production

Active rules in production are continuously monitored:

  • Alert volume trending and false positive rate tracking
  • Performance metrics (processing latency, resource usage)
  • Customer feedback incorporated into tuning

SLA for production rules:

MetricTarget
Alert processing timeUnder 5 minutes
False positive responseUnder 4 hours
Rule modification (tuning)Under 24 hours
Critical issue resolutionUnder 2 hours

5. Deprecated

Rules are deprecated when:

  • A better detection rule replaces them
  • The false positive rate exceeds 15% and cannot be reduced
  • The threat technique is no longer relevant

Customers receive 60-day advance notice before a rule is deprecated, along with information about replacement rules.

6. Retired

Retired rules are deactivated. Historical alerts generated by retired rules remain available in your data retention window.

Severity Levels

Each detection rule is assigned a severity level that determines alert priority and response SLA:

SeverityDescriptionExample
CriticalConfirmed active threat requiring immediate responseRansomware execution, active data exfiltration
HighStrong indicators of compromise requiring urgent investigationLateral movement, C2 communication
MediumSuspicious activity that may indicate a threatUnusual authentication patterns, policy violations
LowInformational activity that may warrant reviewConfiguration changes, new device connections
InfoBaseline events for context and correlationSuccessful logins, routine system events

How Alerts are Generated

  1. Event ingestion — Logs arrive from your connected sources (firewall, EDR, cloud, etc.)
  2. Rule evaluation — Events are evaluated against all active detection rules in real-time
  3. AI triage — The Alert Triage AI enriches matches with context, scores severity, and filters false positives
  4. Alert creation — Confirmed matches create alerts with MITRE ATT&CK mapping, affected assets, and recommended actions
  5. Notification — Alerts are displayed in the Console and sent via configured channels (email, Slack, webhook)

AI-Assisted Detection

The platform uses AI to continuously improve detection quality:

  • False Positive Pattern Detection — Identifies systemic false positive causes and suggests tuning
  • Optimization Recommendations — AI-generated suggestions for rule improvement
  • Natural Language Explanations — Plain-language descriptions of detection logic for analysts

Emergency Rule Deployment

For critical zero-day threats, KYRA MDR can fast-track new detection rules into production within hours. Emergency rules go through accelerated testing with a mandatory 24-hour post-deployment review.