Define actionable detection logic for after-hours anomalies using door, badge, and CCTV events. Create rules for door-held-open > [ThresholdMinutes] minutes, repeated denied attempts, cross-site rapid movement outside [GeoFenceRadius], high-risk doors ([HighRiskDoors]), and holiday/weekend patterns ([HolidayCalendar]). Include suppression logic and stakeholder routing to [AlertingChannel].
Output format:
JSON schema for rules (rule_id, description, signal, condition, threshold, time_window, severity, notify_group)
8–12 sample rules populated with placeholder values
Tuning Guidance (≤150 words)
Test Cases (table: Scenario | Expected Outcome | Evidence Source).
Ensure clarity for implementation in SIEM/SOAR.