Learned Rules
11 active rules learned from past corrections. 41% of findings short-circuited at the Pre-Filter Agent this campaign.
Sentinel learns rules from your overrides. When you correct a verdict in the Review Queue, the Rule Learner extracts the pattern and proposes a new rule. Approved rules feed back into the Pre-Filter Agent, so future campaigns auto-handle that pattern without consuming AI reasoning cycles.
13 rules
| Rule | Pattern | Action | Source | Tester | Learned | Hits (run) | Hits (all-time) | Status | |
|---|---|---|---|---|---|---|---|---|---|
| R-024 | CS06 Critical with fuzzed RemotePartyID + 360s timeout + empty security log + ZbSimCommunicator stack trace = firmware fault under malformed Critical command | Firmware Issue | 1155332/13507 | DDDaniel Dsouza | just now | 2 | 2 | Pending your approval | |
| R-001 | 8F1E in security log + missing in packet trace = tool error (single channel observation) | False Positive | 1155332/13504 | SSSadhna Shukla | 12 days ago | 47 | 218 | Active | |
| R-002 | CS01a NonCritical with fuzzed Invocation Counter at boundary values + valid response = tool false alarm | False Positive | 1155332/6851 | SASujith AK | 21 days ago | 31 | 142 | Active | |
| R-003 | CS06 Critical with fuzzed RemotePartyID + timeout + no security log = device shutdown / needs expert review | Needs Review | 1155332/22107 | SSSadhna Shukla | 30 days ago | 4 | 19 | Active | |
| R-004 | DLMS NonCritical Number field tests at default/min/max + meter valid response = expected behaviour | False Positive | 1155332/6201 | MSManvendra Singh | 35 days ago | 89 | 401 | Active | |
| R-005 | CS02b oversized payload (>100 children) + multi-8F1E alerts (≥3) = firmware payload validation issue | Firmware Issue | 1155332/32601 | MSManvendra Singh | 9 days ago | 6 | 23 | Active | |
| R-006 | CS02g executionDateTime fuzz with Random Length and Value = boundary test, not firmware concern | False Positive | 1155332/34446 | SASujith AK | 16 days ago | 12 | 47 | Active | |
| R-007 | CS02b alert/log time-window correlation drift >5s = ProtoCrawler async correlation bug | False Positive | 1155332/29841 | SSSadhna Shukla | 26 days ago | 8 | 31 | Active | |
| R-008 | ECS80 Generic NonCritical Alert with fuzzed Cluster ID = standard ZigBee error, not firmware bug | False Positive | 1155332/41203 | TKTushar Kamat | 44 days ago | 22 | 88 | Active | |
| R-009 | CS03 Method A Join with fuzzed device EUI64 + no response = expected silent rejection | False Positive | 1155332/15672 | MSManvendra Singh | 51 days ago | 7 | 29 | Active | |
| R-010 | CS04 Unjoin with malformed sequence number + 8F30 alert = correct GBCS behaviour | False Positive | 1155332/19204 | VSVineet Shukla | 60 days ago | 14 | 52 | Disabled | |
| R-011 | DLMS Critical Command ECS30a Length adjustments + valid response = expected at boundary | False Positive | 1155332/3762 | SSSadhna Shukla | 18 days ago | 11 | 38 | Active | |
| R-012 | CS02e Provide Device Certificate with delayed 8F4C alert (>3s) = needs investigation | Needs Review | 1155332/27891 | TKTushar Kamat | 70 days ago | 2 | 9 | Active |