diff --git a/deploy/mariadb/init/001-schema.sql b/deploy/mariadb/init/001-schema.sql
index 2789d7e..e5efc36 100644
--- a/deploy/mariadb/init/001-schema.sql
+++ b/deploy/mariadb/init/001-schema.sql
@@ -85,4 +85,1209 @@ CREATE TABLE IF NOT EXISTS detections (
     KEY ix_detections_created (created_at),
     KEY ix_detections_rule_host_time (rule_name, hostname, created_at),
     KEY ix_detections_severity_time (severity, created_at)
-) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
\ No newline at end of file
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;
+
+CREATE TABLE detection_rules (
+    id BIGINT AUTO_INCREMENT PRIMARY KEY,
+    name VARCHAR(128) NOT NULL UNIQUE,
+    description TEXT,
+    severity VARCHAR(16) NOT NULL DEFAULT 'medium',
+
+    channel VARCHAR(64) NOT NULL DEFAULT 'Security',
+    event_ids VARCHAR(255) NOT NULL,
+
+    match_field VARCHAR(64) DEFAULT '',
+    match_operator VARCHAR(16) DEFAULT '',
+    match_value TEXT,
+
+    threshold_count INT NOT NULL DEFAULT 1,
+    threshold_window_seconds INT NOT NULL DEFAULT 0,
+
+    suppress_for_seconds INT NOT NULL DEFAULT 3600,
+    enabled TINYINT(1) NOT NULL DEFAULT 1,
+
+    created_at TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
+    updated_at TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6)
+);
+
+CREATE INDEX idx_detection_rules_enabled
+ON detection_rules (enabled);
+
+CREATE INDEX idx_event_logs_dynamic_rules
+ON event_logs (channel_name, event_id, ts, hostname);
+
+INSERT INTO detection_rules
+(
+    name,
+    description,
+    severity,
+    channel,
+    event_ids,
+    match_field,
+    match_operator,
+    match_value,
+    threshold_count,
+    threshold_window_seconds,
+    suppress_for_seconds,
+    enabled
+)
+VALUES
+
+-- ============================================================
+-- Kritische Manipulationen / Spurenverwischung
+-- ============================================================
+
+(
+    'security_log_cleared',
+    'Security Log wurde gelöscht. Das ist fast immer sicherheitsrelevant.',
+    'high',
+    'Security',
+    '1102',
+    '',
+    '',
+    '',
+    1,
+    0,
+    86400,
+    1
+),
+
+(
+    'audit_policy_changed',
+    'Audit Policy wurde geändert.',
+    'high',
+    'Security',
+    '4719',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'system_audit_policy_changed',
+    'System Audit Policy wurde geändert.',
+    'high',
+    'Security',
+    '4902,4904,4905,4906,4907,4908,4912',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'special_logon',
+    'Anmeldung mit speziellen Rechten erkannt.',
+    'medium',
+    'Security',
+    '4672',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    1
+),
+
+(
+    'privileged_service_called',
+    'Privilegierter Dienst wurde aufgerufen.',
+    'medium',
+    'Security',
+    '4673,4674',
+    '',
+    '',
+    '',
+    10,
+    300,
+    1800,
+    1
+),
+
+-- ============================================================
+-- Benutzerverwaltung
+-- ============================================================
+
+(
+    'user_created',
+    'Neuer AD-Benutzer wurde erstellt.',
+    'medium',
+    'Security',
+    '4720',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'user_enabled',
+    'AD-Benutzer wurde aktiviert.',
+    'medium',
+    'Security',
+    '4722',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'user_disabled',
+    'AD-Benutzer wurde deaktiviert.',
+    'low',
+    'Security',
+    '4725',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'user_deleted',
+    'AD-Benutzer wurde gelöscht.',
+    'medium',
+    'Security',
+    '4726',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'user_changed',
+    'AD-Benutzerobjekt wurde geändert.',
+    'low',
+    'Security',
+    '4738',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'password_changed_by_user',
+    'Benutzer hat eigenes Passwort geändert.',
+    'low',
+    'Security',
+    '4723',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    1
+),
+
+(
+    'password_reset',
+    'Passwort wurde durch Admin oder berechtigten Benutzer zurückgesetzt.',
+    'medium',
+    'Security',
+    '4724',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'account_lockout',
+    'Benutzerkonto wurde gesperrt.',
+    'low',
+    'Security',
+    '4740',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    1
+),
+
+(
+    'account_lockout_spike',
+    'Viele Account Lockouts innerhalb kurzer Zeit.',
+    'medium',
+    'Security',
+    '4740',
+    '',
+    '',
+    '',
+    5,
+    300,
+    1800,
+    1
+),
+
+-- ============================================================
+-- Gruppenverwaltung allgemein
+-- ============================================================
+
+(
+    'security_group_created',
+    'Security-Gruppe wurde erstellt.',
+    'medium',
+    'Security',
+    '4727,4731,4754',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'security_group_deleted',
+    'Security-Gruppe wurde gelöscht.',
+    'medium',
+    'Security',
+    '4730,4734,4758',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'security_group_changed',
+    'Security-Gruppe wurde geändert.',
+    'medium',
+    'Security',
+    '4735,4737,4755',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'group_member_added',
+    'Mitglied wurde zu einer Security-Gruppe hinzugefügt.',
+    'medium',
+    'Security',
+    '4728,4732,4756',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'group_member_removed',
+    'Mitglied wurde aus einer Security-Gruppe entfernt.',
+    'medium',
+    'Security',
+    '4729,4733,4757',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+-- ============================================================
+-- Privilegierte Gruppen
+-- Achtung: target_user ist hier normalerweise der Gruppenname.
+-- ============================================================
+
+(
+    'privileged_group_member_added',
+    'Mitglied wurde zu einer privilegierten AD-Gruppe hinzugefügt.',
+    'high',
+    'Security',
+    '4728,4732,4756',
+    'target_user',
+    'in',
+    'Domain Admins,Enterprise Admins,Schema Admins,Administrators,Account Operators,Server Operators,Backup Operators,Print Operators,DNSAdmins,Group Policy Creator Owners,Cert Publishers,Key Admins,Enterprise Key Admins',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'privileged_group_member_removed',
+    'Mitglied wurde aus einer privilegierten AD-Gruppe entfernt.',
+    'medium',
+    'Security',
+    '4729,4733,4757',
+    'target_user',
+    'in',
+    'Domain Admins,Enterprise Admins,Schema Admins,Administrators,Account Operators,Server Operators,Backup Operators,Print Operators,DNSAdmins,Group Policy Creator Owners,Cert Publishers,Key Admins,Enterprise Key Admins',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'domain_admins_changed',
+    'Änderung an Domain Admins erkannt.',
+    'high',
+    'Security',
+    '4728,4729,4735,4737',
+    'target_user',
+    'eq',
+    'Domain Admins',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'enterprise_admins_changed',
+    'Änderung an Enterprise Admins erkannt.',
+    'high',
+    'Security',
+    '4728,4729,4735,4737',
+    'target_user',
+    'eq',
+    'Enterprise Admins',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'schema_admins_changed',
+    'Änderung an Schema Admins erkannt.',
+    'high',
+    'Security',
+    '4728,4729,4735,4737',
+    'target_user',
+    'eq',
+    'Schema Admins',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'dnsadmins_changed',
+    'Änderung an DNSAdmins erkannt. DNSAdmins können in vielen Umgebungen kritisch sein.',
+    'high',
+    'Security',
+    '4728,4729,4732,4733,4756,4757',
+    'target_user',
+    'eq',
+    'DNSAdmins',
+    1,
+    0,
+    3600,
+    1
+),
+
+-- ============================================================
+-- Computer-Konten
+-- ============================================================
+
+(
+    'computer_account_created',
+    'Computer-Konto wurde erstellt.',
+    'low',
+    'Security',
+    '4741',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'computer_account_changed',
+    'Computer-Konto wurde geändert.',
+    'low',
+    'Security',
+    '4742',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'computer_account_deleted',
+    'Computer-Konto wurde gelöscht.',
+    'medium',
+    'Security',
+    '4743',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+-- ============================================================
+-- Kerberos / Authentifizierung
+-- ============================================================
+
+(
+    'kerberos_preauth_failure',
+    'Kerberos PreAuth Fehler erkannt.',
+    'low',
+    'Security',
+    '4771',
+    '',
+    '',
+    '',
+    1,
+    0,
+    300,
+    1
+),
+
+(
+    'kerberos_preauth_spike',
+    'Viele Kerberos PreAuth Fehler. Möglicher Password-Spray oder Bruteforce.',
+    'high',
+    'Security',
+    '4771',
+    '',
+    '',
+    '',
+    20,
+    300,
+    1800,
+    1
+),
+
+(
+    'kerberos_tgt_failed_spike',
+    'Viele fehlgeschlagene Kerberos-TGT-Anfragen.',
+    'medium',
+    'Security',
+    '4768',
+    '',
+    '',
+    '',
+    30,
+    300,
+    1800,
+    1
+),
+
+(
+    'kerberos_service_ticket_spike',
+    'Viele Kerberos-Service-Ticket-Anfragen. Kann auf Kerberoasting oder ungewöhnliche Service-Nutzung hindeuten.',
+    'medium',
+    'Security',
+    '4769',
+    '',
+    '',
+    '',
+    100,
+    300,
+    1800,
+    1
+),
+
+(
+    'ntlm_authentication_spike',
+    'Viele NTLM-Authentifizierungen erkannt.',
+    'medium',
+    'Security',
+    '4776',
+    '',
+    '',
+    '',
+    50,
+    300,
+    1800,
+    1
+),
+
+(
+    'logon_failed_spike',
+    'Viele fehlgeschlagene Logons.',
+    'medium',
+    'Security',
+    '4625',
+    '',
+    '',
+    '',
+    25,
+    300,
+    1800,
+    1
+),
+
+(
+    'explicit_credentials_used',
+    'Anmeldung mit expliziten Anmeldeinformationen erkannt.',
+    'medium',
+    'Security',
+    '4648',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    1
+),
+
+(
+    'many_explicit_credentials_used',
+    'Viele Anmeldungen mit expliziten Anmeldeinformationen.',
+    'high',
+    'Security',
+    '4648',
+    '',
+    '',
+    '',
+    20,
+    300,
+    1800,
+    1
+),
+
+-- ============================================================
+-- Dienste, Tasks, Persistenz
+-- ============================================================
+
+(
+    'service_installed_security',
+    'Neuer Dienst laut Security Log installiert.',
+    'high',
+    'Security',
+    '4697',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'service_installed_system',
+    'Neuer Dienst laut System Log installiert.',
+    'high',
+    'System',
+    '7045',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'scheduled_task_created',
+    'Geplanter Task wurde erstellt.',
+    'high',
+    'Security',
+    '4698',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    1
+),
+
+(
+    'scheduled_task_updated',
+    'Geplanter Task wurde geändert.',
+    'medium',
+    'Security',
+    '4702',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'scheduled_task_deleted',
+    'Geplanter Task wurde gelöscht.',
+    'medium',
+    'Security',
+    '4699',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'scheduled_task_enabled_disabled',
+    'Geplanter Task wurde aktiviert oder deaktiviert.',
+    'medium',
+    'Security',
+    '4700,4701',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+-- ============================================================
+-- Prozess / PowerShell / Script Logging
+-- Nur aktivieren, wenn diese Events bei dir tatsächlich gesammelt werden.
+-- ============================================================
+
+(
+    'process_created',
+    'Neuer Prozess wurde erstellt. Nur sinnvoll bei aktiviertem Process Creation Auditing.',
+    'low',
+    'Security',
+    '4688',
+    '',
+    '',
+    '',
+    1,
+    0,
+    300,
+    0
+),
+
+(
+    'suspicious_powershell_process',
+    'Verdächtiger PowerShell-Aufruf im Prozess-Event.',
+    'high',
+    'Security',
+    '4688',
+    'msg',
+    'contains',
+    'powershell',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'powershell_script_block',
+    'PowerShell Script Block Logging Event erkannt.',
+    'medium',
+    'Windows PowerShell,Microsoft-Windows-PowerShell/Operational',
+    '4104',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    0
+),
+
+(
+    'suspicious_powershell_encodedcommand',
+    'PowerShell EncodedCommand erkannt.',
+    'high',
+    'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
+    '4104,4688',
+    'msg',
+    'contains',
+    'EncodedCommand',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'suspicious_powershell_downloadstring',
+    'PowerShell DownloadString erkannt.',
+    'high',
+    'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
+    '4104,4688',
+    'msg',
+    'contains',
+    'DownloadString',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'suspicious_powershell_iex',
+    'PowerShell Invoke-Expression / IEX erkannt.',
+    'high',
+    'Windows PowerShell,Microsoft-Windows-PowerShell/Operational,Security',
+    '4104,4688',
+    'msg',
+    'contains',
+    'Invoke-Expression',
+    1,
+    0,
+    1800,
+    0
+),
+
+-- ============================================================
+-- GPO / AD Objektänderungen
+-- Hinweis: 5136/5137/5141 kommen aus Directory Service Changes.
+-- Dafür muss das passende Auditing auf DCs aktiv sein.
+-- ============================================================
+
+(
+    'directory_object_modified',
+    'AD-Objekt wurde geändert.',
+    'medium',
+    'Security',
+    '5136',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    0
+),
+
+(
+    'directory_object_created',
+    'AD-Objekt wurde erstellt.',
+    'medium',
+    'Security',
+    '5137',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    0
+),
+
+(
+    'directory_object_deleted',
+    'AD-Objekt wurde gelöscht.',
+    'medium',
+    'Security',
+    '5141',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'gpo_changed',
+    'Mögliche GPO-Änderung erkannt.',
+    'high',
+    'Security',
+    '5136',
+    'msg',
+    'contains',
+    'CN=Policies,CN=System',
+    1,
+    0,
+    3600,
+    0
+),
+
+(
+    'adminsdholder_changed',
+    'AdminSDHolder wurde geändert. Sehr sicherheitsrelevant.',
+    'high',
+    'Security',
+    '5136',
+    'msg',
+    'contains',
+    'CN=AdminSDHolder',
+    1,
+    0,
+    86400,
+    0
+),
+
+(
+    'domain_root_changed',
+    'Domain-Root-Objekt wurde geändert.',
+    'high',
+    'Security',
+    '5136',
+    'msg',
+    'contains',
+    'DC=',
+    1,
+    0,
+    3600,
+    0
+),
+
+-- ============================================================
+-- Objektzugriff / ACL
+-- Hinweis: 4662/4670 brauchen passende SACLs.
+-- ============================================================
+
+(
+    'object_permissions_changed',
+    'Berechtigungen eines Objekts wurden geändert.',
+    'high',
+    'Security',
+    '4670',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    0
+),
+
+(
+    'directory_service_object_access',
+    'Directory-Service-Objektzugriff erkannt.',
+    'medium',
+    'Security',
+    '4662',
+    '',
+    '',
+    '',
+    10,
+    300,
+    1800,
+    0
+),
+
+-- ============================================================
+-- Share / SMB / SYSVOL / administrative Zugriffe
+-- Hinweis: Kann sehr laut werden.
+-- ============================================================
+
+(
+    'network_share_accessed',
+    'Netzwerkfreigabe wurde genutzt.',
+    'low',
+    'Security',
+    '5140',
+    '',
+    '',
+    '',
+    50,
+    300,
+    900,
+    0
+),
+
+(
+    'network_share_object_checked',
+    'Detaillierter Netzwerkfreigabezugriff erkannt.',
+    'low',
+    'Security',
+    '5145',
+    '',
+    '',
+    '',
+    100,
+    300,
+    900,
+    0
+),
+
+(
+    'sysvol_access_spike',
+    'Viele Zugriffe auf SYSVOL erkannt.',
+    'low',
+    'Security',
+    '5140,5145',
+    'msg',
+    'contains',
+    'SYSVOL',
+    100,
+    300,
+    900,
+    0
+),
+
+(
+    'admin_share_access',
+    'Zugriff auf administrative Freigabe erkannt.',
+    'medium',
+    'Security',
+    '5140,5145',
+    'msg',
+    'contains',
+    'ADMIN$',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'c_share_access',
+    'Zugriff auf C$ erkannt.',
+    'medium',
+    'Security',
+    '5140,5145',
+    'msg',
+    'contains',
+    'C$',
+    1,
+    0,
+    1800,
+    0
+),
+
+-- ============================================================
+-- System / Neustart / Agent-Kontext
+-- ============================================================
+
+(
+    'system_startup',
+    'System wurde gestartet.',
+    'low',
+    'System',
+    '6005',
+    '',
+    '',
+    '',
+    1,
+    0,
+    300,
+    0
+),
+
+(
+    'system_shutdown',
+    'System wurde heruntergefahren.',
+    'low',
+    'System',
+    '6006',
+    '',
+    '',
+    '',
+    1,
+    0,
+    300,
+    0
+),
+
+(
+    'planned_shutdown_or_restart',
+    'Geplanter Shutdown oder Neustart erkannt.',
+    'low',
+    'System',
+    '1074',
+    '',
+    '',
+    '',
+    1,
+    0,
+    900,
+    1
+),
+
+(
+    'unexpected_shutdown',
+    'Unerwarteter Shutdown erkannt.',
+    'medium',
+    'System',
+    '6008',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    1
+),
+
+(
+    'reboot_spike_dynamic',
+    'Viele Neustart-/Shutdown-Events in kurzer Zeit.',
+    'medium',
+    'System',
+    '1074,6005,6006,6008',
+    '',
+    '',
+    '',
+    3,
+    900,
+    1800,
+    0
+),
+
+-- ============================================================
+-- Windows Defender / Security Center
+-- Event IDs können je nach Version/Quelle variieren.
+-- ============================================================
+
+(
+    'defender_malware_detected',
+    'Microsoft Defender hat Malware erkannt.',
+    'high',
+    'Microsoft-Windows-Windows Defender/Operational',
+    '1116',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    0
+),
+
+(
+    'defender_malware_remediated',
+    'Microsoft Defender hat Malware bereinigt.',
+    'medium',
+    'Microsoft-Windows-Windows Defender/Operational',
+    '1117',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'defender_action_failed',
+    'Microsoft Defender Aktion fehlgeschlagen.',
+    'high',
+    'Microsoft-Windows-Windows Defender/Operational',
+    '1118,1119',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    0
+),
+
+(
+    'defender_disabled_or_config_changed',
+    'Defender-Konfiguration wurde geändert oder Schutz deaktiviert.',
+    'high',
+    'Microsoft-Windows-Windows Defender/Operational',
+    '5007,5013',
+    '',
+    '',
+    '',
+    1,
+    0,
+    3600,
+    0
+),
+
+-- ============================================================
+-- Zertifikatsdienste / AD CS
+-- Nur aktivieren, wenn AD CS vorhanden und Events gesammelt werden.
+-- ============================================================
+
+(
+    'certificate_request_issued',
+    'Zertifikat wurde ausgestellt.',
+    'medium',
+    'Security',
+    '4886,4887',
+    '',
+    '',
+    '',
+    1,
+    0,
+    1800,
+    0
+),
+
+(
+    'certificate_template_changed',
+    'Zertifikatstemplate wurde geändert.',
+    'high',
+    'Security',
+    '4898,4899,4900',
+    '',
+    '',
+    '',
+    1,
+    0,
+    86400,
+    0
+),
+
+(
+    'cert_services_config_changed',
+    'AD-CS-Konfiguration wurde geändert.',
+    'high',
+    'Security',
+    '4882,4885,4890,4891,4892',
+    '',
+    '',
+    '',
+    1,
+    0,
+    86400,
+    0
+);
\ No newline at end of file
diff --git a/main.go b/main.go
index 1730c36..f175454 100644
--- a/main.go
+++ b/main.go
@@ -63,6 +63,19 @@ const uiTemplates = `
 	.inline-form { display: inline; }
 	button.danger { background: #dc2626; }
 	button.success { background: #16a34a; }
+	textarea, select {
+  	width: 100%;
+  	padding: 8px;
+  	border: 1px solid #d1d5db;
+  	border-radius: 8px;
+  	box-sizing: border-box;
+	}
+	.badge { display: inline-block; padding: 3px 8px; border-radius: 999px; font-size: 12px; font-weight: bold; }
+	.badge-on { background: #dcfce7; color: #166534; }
+	.badge-off { background: #fee2e2; color: #991b1b; }
+	.inline-form { display: inline; }
+	button.danger { background: #dc2626; }
+	button.success { background: #16a34a; }
   </style>
 </head>
 <body>
@@ -71,6 +84,7 @@ const uiTemplates = `
   <nav>
     <a href="/ui">Dashboard</a>
 	<a href="/ui/agents">Agents</a>
+	<a href="/ui/rules">Rules</a>
     <a href="/ui/detections">Detections</a>
     <a href="/ui/events">Events</a>
     <a href="/metrics">Metrics</a>
@@ -158,6 +172,80 @@ const uiTemplates = `
 {{template "footer" .}}
 {{end}}
 
+{{define "rules"}}
+{{template "header" .}}
+<h1>{{.Title}}</h1>
+<p class="muted">Dynamische Regeln für einfache EventID-, Feld- und Threshold-Erkennung.</p>
+
+<h2>Neue Regel</h2>
+<form method="post" action="/ui/rules/save">
+  <div class="filters">
+    <div><label>Name</label><input name="name" required></div>
+    <div><label>Severity</label>
+      <select name="severity">
+        <option value="low">low</option>
+        <option value="medium" selected>medium</option>
+        <option value="high">high</option>
+      </select>
+    </div>
+    <div><label>Channel</label><input name="channel" value="Security"></div>
+    <div><label>Event IDs</label><input name="event_ids" placeholder="4720,4722,1102" required></div>
+    <div><label>Match Field</label><input name="match_field" placeholder="target_user, subject_user, msg, src_ip"></div>
+    <div><label>Operator</label>
+      <select name="match_operator">
+        <option value="">kein Filter</option>
+        <option value="eq">eq</option>
+        <option value="contains">contains</option>
+        <option value="in">in</option>
+      </select>
+    </div>
+    <div><label>Match Value</label><input name="match_value"></div>
+    <div><label>Threshold Count</label><input name="threshold_count" value="1"></div>
+    <div><label>Window Seconds</label><input name="threshold_window_seconds" value="0"></div>
+    <div><label>Suppress Seconds</label><input name="suppress_for_seconds" value="3600"></div>
+  </div>
+  <div><label>Beschreibung</label><textarea name="description" rows="3"></textarea></div>
+  <p><button type="submit">Regel speichern</button></p>
+</form>
+
+<h2>Bestehende Regeln</h2>
+<table>
+  <tr>
+    <th>Name</th><th>Severity</th><th>Channel</th><th>Events</th><th>Filter</th><th>Threshold</th><th>Status</th><th>Aktion</th>
+  </tr>
+  {{range .Rules}}
+  <tr>
+    <td><strong>{{.Name}}</strong><br><span class="muted">{{.Description}}</span></td>
+    <td class="sev-{{.Severity}}">{{.Severity}}</td>
+    <td>{{.Channel}}</td>
+    <td>{{.EventIDs}}</td>
+    <td>{{.MatchField}} {{.MatchOperator}} {{.MatchValue}}</td>
+    <td>{{.ThresholdCount}} / {{.ThresholdWindowSeconds}}s</td>
+    <td>
+      {{if .Enabled}}
+        <span class="badge badge-on">aktiv</span>
+      {{else}}
+        <span class="badge badge-off">inaktiv</span>
+      {{end}}
+    </td>
+    <td>
+      <form class="inline-form" method="post" action="/ui/rules/toggle">
+        <input type="hidden" name="id" value="{{.ID}}">
+        {{if .Enabled}}
+          <input type="hidden" name="enabled" value="0">
+          <button class="danger" type="submit">Deaktivieren</button>
+        {{else}}
+          <input type="hidden" name="enabled" value="1">
+          <button class="success" type="submit">Aktivieren</button>
+        {{end}}
+      </form>
+    </td>
+  </tr>
+  {{end}}
+</table>
+{{template "footer" .}}
+{{end}}
+
 {{define "events"}}
 {{template "header" .}}
 <h1>{{.Title}}</h1>
@@ -335,6 +423,8 @@ type NormalizedEvent struct {
 	StatusText            string
 	SubStatusText         string
 	FailureReason         string
+	MemberName            string
+	GroupName             string
 }
 
 type Detection struct {
@@ -460,6 +550,30 @@ type AgentListPageData struct {
 	Agents []AgentRow
 }
 
+type DynamicRule struct {
+	ID                     uint64
+	Name                   string
+	Description            string
+	Severity               string
+	Channel                string
+	EventIDs               string
+	MatchField             string
+	MatchOperator          string
+	MatchValue             string
+	ThresholdCount         int
+	ThresholdWindowSeconds int
+	SuppressForSeconds     int
+	Enabled                bool
+	CreatedAt              time.Time
+	UpdatedAt              time.Time
+}
+
+type DynamicRulePageData struct {
+	Title string
+	Now   time.Time
+	Rules []DynamicRule
+}
+
 var (
 	httpRequestsTotal = prometheus.NewCounterVec(
 		prometheus.CounterOpts{Name: "eventcollector_http_requests_total", Help: "Total HTTP requests."},
@@ -609,6 +723,9 @@ func main() {
 	mux.HandleFunc("/ui/event", s.handleUIEventDetail)
 	mux.HandleFunc("/ui/agents", s.handleUIAgents)
 	mux.HandleFunc("/ui/agents/toggle", s.handleUIAgentToggle)
+	mux.HandleFunc("/ui/rules", s.handleUIRules)
+	mux.HandleFunc("/ui/rules/save", s.handleUIRuleSave)
+	mux.HandleFunc("/ui/rules/toggle", s.handleUIRuleToggle)
 
 	httpSrv := &http.Server{
 		Addr:         cfg.ListenAddr,
@@ -642,6 +759,201 @@ func main() {
 	}
 }
 
+func (s *server) listDynamicRules(ctx context.Context) ([]DynamicRule, error) {
+	const q = `
+SELECT id, name, description, severity, channel, event_ids,
+       match_field, match_operator, match_value,
+       threshold_count, threshold_window_seconds, suppress_for_seconds,
+       enabled, created_at, updated_at
+FROM detection_rules
+ORDER BY name ASC
+`
+	rows, err := s.db.QueryContext(ctx, q)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var out []DynamicRule
+	for rows.Next() {
+		var r DynamicRule
+		if err := rows.Scan(
+			&r.ID,
+			&r.Name,
+			&r.Description,
+			&r.Severity,
+			&r.Channel,
+			&r.EventIDs,
+			&r.MatchField,
+			&r.MatchOperator,
+			&r.MatchValue,
+			&r.ThresholdCount,
+			&r.ThresholdWindowSeconds,
+			&r.SuppressForSeconds,
+			&r.Enabled,
+			&r.CreatedAt,
+			&r.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		out = append(out, r)
+	}
+	return out, rows.Err()
+}
+
+func (s *server) handleUIRules(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		writeError(w, http.StatusMethodNotAllowed, "method not allowed")
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	rules, err := s.listDynamicRules(ctx)
+	if err != nil {
+		s.logger.Printf("ui rules: %v", err)
+		writeError(w, http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	s.renderTemplate(w, "rules", DynamicRulePageData{
+		Title: "Dynamic Rules",
+		Now:   time.Now(),
+		Rules: rules,
+	})
+}
+
+func (s *server) handleUIRuleToggle(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		writeError(w, http.StatusMethodNotAllowed, "method not allowed")
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid form")
+		return
+	}
+
+	id, err := strconv.ParseUint(strings.TrimSpace(r.FormValue("id")), 10, 64)
+	if err != nil || id == 0 {
+		writeError(w, http.StatusBadRequest, "invalid id")
+		return
+	}
+
+	enabled := strings.TrimSpace(r.FormValue("enabled")) == "1"
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	_, err = s.db.ExecContext(ctx, `
+UPDATE detection_rules
+SET enabled = ?
+WHERE id = ?
+`, enabled, id)
+	if err != nil {
+		s.logger.Printf("toggle rule: %v", err)
+		writeError(w, http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	http.Redirect(w, r, "/ui/rules", http.StatusSeeOther)
+}
+
+func (s *server) handleUIRuleSave(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		writeError(w, http.StatusMethodNotAllowed, "method not allowed")
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		writeError(w, http.StatusBadRequest, "invalid form")
+		return
+	}
+
+	rule := DynamicRule{
+		Name:                   strings.TrimSpace(r.FormValue("name")),
+		Description:            strings.TrimSpace(r.FormValue("description")),
+		Severity:               strings.TrimSpace(r.FormValue("severity")),
+		Channel:                strings.TrimSpace(r.FormValue("channel")),
+		EventIDs:               strings.TrimSpace(r.FormValue("event_ids")),
+		MatchField:             strings.TrimSpace(r.FormValue("match_field")),
+		MatchOperator:          strings.TrimSpace(r.FormValue("match_operator")),
+		MatchValue:             strings.TrimSpace(r.FormValue("match_value")),
+		ThresholdCount:         atoiDefault(r.FormValue("threshold_count"), 1),
+		ThresholdWindowSeconds: atoiDefault(r.FormValue("threshold_window_seconds"), 0),
+		SuppressForSeconds:     atoiDefault(r.FormValue("suppress_for_seconds"), 3600),
+		Enabled:                true,
+	}
+
+	if rule.Name == "" || rule.EventIDs == "" {
+		writeError(w, http.StatusBadRequest, "name and event_ids required")
+		return
+	}
+	if rule.Severity == "" {
+		rule.Severity = "medium"
+	}
+	if rule.Channel == "" {
+		rule.Channel = "Security"
+	}
+	if rule.ThresholdCount <= 0 {
+		rule.ThresholdCount = 1
+	}
+	if rule.SuppressForSeconds < 0 {
+		rule.SuppressForSeconds = 0
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	_, err := s.db.ExecContext(ctx, `
+INSERT INTO detection_rules
+(name, description, severity, channel, event_ids,
+ match_field, match_operator, match_value,
+ threshold_count, threshold_window_seconds, suppress_for_seconds, enabled)
+VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1)
+ON DUPLICATE KEY UPDATE
+ description = VALUES(description),
+ severity = VALUES(severity),
+ channel = VALUES(channel),
+ event_ids = VALUES(event_ids),
+ match_field = VALUES(match_field),
+ match_operator = VALUES(match_operator),
+ match_value = VALUES(match_value),
+ threshold_count = VALUES(threshold_count),
+ threshold_window_seconds = VALUES(threshold_window_seconds),
+ suppress_for_seconds = VALUES(suppress_for_seconds),
+ enabled = VALUES(enabled)
+`,
+		rule.Name,
+		rule.Description,
+		rule.Severity,
+		rule.Channel,
+		rule.EventIDs,
+		rule.MatchField,
+		rule.MatchOperator,
+		rule.MatchValue,
+		rule.ThresholdCount,
+		rule.ThresholdWindowSeconds,
+		rule.SuppressForSeconds,
+	)
+	if err != nil {
+		s.logger.Printf("save rule: %v", err)
+		writeError(w, http.StatusInternalServerError, "internal error")
+		return
+	}
+
+	http.Redirect(w, r, "/ui/rules", http.StatusSeeOther)
+}
+
+func atoiDefault(v string, def int) int {
+	n, err := strconv.Atoi(strings.TrimSpace(v))
+	if err != nil {
+		return def
+	}
+	return n
+}
+
 func (s *server) listAgents(ctx context.Context) ([]AgentRow, error) {
 	const q = `
 SELECT id, hostname, first_seen, last_seen, last_ip, is_enabled
@@ -1503,6 +1815,447 @@ func (s *server) runDetectionLoop() {
 	}
 }
 
+func (d *detector) runDynamicRules(ctx context.Context) error {
+	rows, err := d.db.QueryContext(ctx, `
+SELECT id, name, description, severity, channel, event_ids,
+       match_field, match_operator, match_value,
+       threshold_count, threshold_window_seconds, suppress_for_seconds
+FROM detection_rules
+WHERE enabled = 1
+`)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		var r DynamicRule
+		if err := rows.Scan(
+			&r.ID,
+			&r.Name,
+			&r.Description,
+			&r.Severity,
+			&r.Channel,
+			&r.EventIDs,
+			&r.MatchField,
+			&r.MatchOperator,
+			&r.MatchValue,
+			&r.ThresholdCount,
+			&r.ThresholdWindowSeconds,
+			&r.SuppressForSeconds,
+		); err != nil {
+			return err
+		}
+
+		if err := d.evaluateDynamicRule(ctx, r); err != nil {
+			d.logger.Printf("dynamic rule %s error: %v", r.Name, err)
+			d.ruleErrorsTotal.WithLabelValues("dynamic_" + r.Name).Inc()
+			continue
+		}
+
+		d.ruleLastRunGauge.WithLabelValues("dynamic_" + r.Name).Set(float64(time.Now().Unix()))
+	}
+
+	return rows.Err()
+}
+
+func (d *detector) evaluateDynamicRule(ctx context.Context, r DynamicRule) error {
+	eventIDs := parseCSVUint32(r.EventIDs)
+	channels := parseCSVStrings(r.Channel)
+
+	if len(eventIDs) == 0 || len(channels) == 0 {
+		return nil
+	}
+
+	if r.ThresholdCount <= 1 || r.ThresholdWindowSeconds <= 0 {
+		return d.evaluateSingleEventRule(ctx, r, channels, eventIDs)
+	}
+
+	return d.evaluateThresholdRule(ctx, r, channels, eventIDs)
+}
+
+func (d *detector) evaluateSingleEventRule(ctx context.Context, r DynamicRule, channels []string, eventIDs []uint32) error {
+	windowEnd := time.Now().UTC()
+	windowStart := windowEnd.Add(-d.cfg.DetectionInterval)
+
+	query := `
+SELECT id, hostname, channel_name, event_id, target_user, subject_user, src_ip, workstation, process_name, msg, ts
+FROM event_logs
+WHERE ts >= ? AND ts < ?
+`
+	args := []any{windowStart, windowEnd}
+
+	query += buildInClause("channel_name", len(channels))
+	for _, ch := range channels {
+		args = append(args, ch)
+	}
+
+	query += buildInClause("event_id", len(eventIDs))
+	for _, id := range eventIDs {
+		args = append(args, id)
+	}
+
+	query += ` ORDER BY ts DESC LIMIT 500`
+
+	rows, err := d.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		var ev struct {
+			ID          uint64
+			Hostname    string
+			Channel     string
+			EventID     uint32
+			TargetUser  string
+			SubjectUser string
+			SrcIP       string
+			Workstation string
+			ProcessName string
+			Message     string
+			Time        time.Time
+		}
+
+		if err := rows.Scan(
+			&ev.ID,
+			&ev.Hostname,
+			&ev.Channel,
+			&ev.EventID,
+			&ev.TargetUser,
+			&ev.SubjectUser,
+			&ev.SrcIP,
+			&ev.Workstation,
+			&ev.ProcessName,
+			&ev.Message,
+			&ev.Time,
+		); err != nil {
+			return err
+		}
+
+		fields := map[string]string{
+			"hostname":     ev.Hostname,
+			"channel":      ev.Channel,
+			"event_id":     strconv.Itoa(int(ev.EventID)),
+			"target_user":  ev.TargetUser,
+			"subject_user": ev.SubjectUser,
+			"src_ip":       ev.SrcIP,
+			"workstation":  ev.Workstation,
+			"process_name": ev.ProcessName,
+			"msg":          ev.Message,
+		}
+
+		if !dynamicRuleMatches(r, fields) {
+			continue
+		}
+
+		if suppressed, err := d.isDynamicRuleSuppressed(ctx, r, ev.Hostname, ev.Time); err != nil {
+			return err
+		} else if suppressed {
+			continue
+		}
+
+		summary := fmt.Sprintf("Dynamic Rule %s auf %s ausgelöst: EventID %d", r.Name, ev.Hostname, ev.EventID)
+
+		created, err := d.insertDetection(ctx, Detection{
+			RuleName:    "dynamic_" + r.Name,
+			Severity:    r.Severity,
+			Hostname:    ev.Hostname,
+			Channel:     ev.Channel,
+			EventID:     ev.EventID,
+			Score:       1.0,
+			WindowStart: ev.Time,
+			WindowEnd:   ev.Time,
+			Summary:     summary,
+			Details: mustJSON(map[string]any{
+				"rule_id":      r.ID,
+				"rule_name":    r.Name,
+				"description":  r.Description,
+				"event_log_id": ev.ID,
+				"target_user":  ev.TargetUser,
+				"subject_user": ev.SubjectUser,
+				"src_ip":       ev.SrcIP,
+				"workstation":  ev.Workstation,
+				"process_name": ev.ProcessName,
+			}),
+		})
+		if err != nil {
+			return err
+		}
+		if created {
+			d.detectionHitsTotal.WithLabelValues("dynamic_"+r.Name, r.Severity).Inc()
+		}
+	}
+
+	return rows.Err()
+}
+
+func (d *detector) evaluateThresholdRule(ctx context.Context, r DynamicRule, channels []string, eventIDs []uint32) error {
+	windowEnd := time.Now().UTC()
+	windowStart := windowEnd.Add(time.Duration(-r.ThresholdWindowSeconds) * time.Second)
+
+	query := `
+SELECT hostname, COUNT(*) AS cnt, MIN(ts), MAX(ts)
+FROM event_logs
+WHERE ts >= ? AND ts < ?
+`
+	args := []any{windowStart, windowEnd}
+
+	query += buildInClause("channel_name", len(channels))
+	for _, ch := range channels {
+		args = append(args, ch)
+	}
+
+	query += buildInClause("event_id", len(eventIDs))
+	for _, id := range eventIDs {
+		args = append(args, id)
+	}
+
+	if r.MatchField != "" && r.MatchOperator != "" && r.MatchValue != "" {
+		sqlCond, sqlArgs := buildSQLMatchCondition(r)
+		if sqlCond != "" {
+			query += " AND " + sqlCond
+			args = append(args, sqlArgs...)
+		}
+	}
+
+	query += `
+GROUP BY hostname
+HAVING COUNT(*) >= ?
+`
+	args = append(args, r.ThresholdCount)
+
+	rows, err := d.db.QueryContext(ctx, query, args...)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		var host string
+		var count int
+		var firstSeen time.Time
+		var lastSeen time.Time
+
+		if err := rows.Scan(&host, &count, &firstSeen, &lastSeen); err != nil {
+			return err
+		}
+
+		if suppressed, err := d.isDynamicRuleSuppressed(ctx, r, host, windowEnd); err != nil {
+			return err
+		} else if suppressed {
+			continue
+		}
+
+		score := float64(count) / float64(r.ThresholdCount)
+
+		created, err := d.insertDetection(ctx, Detection{
+			RuleName:    "dynamic_" + r.Name,
+			Severity:    r.Severity,
+			Hostname:    host,
+			Score:       score,
+			WindowStart: windowStart,
+			WindowEnd:   windowEnd,
+			Summary: fmt.Sprintf(
+				"Dynamic Rule %s auf %s: %d Events in %d Sekunden",
+				r.Name,
+				host,
+				count,
+				r.ThresholdWindowSeconds,
+			),
+			Details: mustJSON(map[string]any{
+				"rule_id":              r.ID,
+				"rule_name":            r.Name,
+				"description":          r.Description,
+				"count":                count,
+				"threshold_count":      r.ThresholdCount,
+				"threshold_window_sec": r.ThresholdWindowSeconds,
+				"first_seen":           firstSeen.UTC().Format(time.RFC3339Nano),
+				"last_seen":            lastSeen.UTC().Format(time.RFC3339Nano),
+				"event_ids":            r.EventIDs,
+				"channels":             r.Channel,
+				"match_field":          r.MatchField,
+				"match_operator":       r.MatchOperator,
+				"match_value":          r.MatchValue,
+			}),
+		})
+		if err != nil {
+			return err
+		}
+		if created {
+			d.detectionHitsTotal.WithLabelValues("dynamic_"+r.Name, r.Severity).Inc()
+			d.anomalyScoreGauge.WithLabelValues(host, "dynamic_"+r.Name).Set(score)
+		}
+	}
+
+	return rows.Err()
+}
+
+func (d *detector) isDynamicRuleSuppressed(ctx context.Context, r DynamicRule, hostname string, now time.Time) (bool, error) {
+	if r.SuppressForSeconds <= 0 {
+		return false, nil
+	}
+
+	since := now.UTC().Add(time.Duration(-r.SuppressForSeconds) * time.Second)
+
+	var count int
+	err := d.db.QueryRowContext(ctx, `
+SELECT COUNT(*)
+FROM detections
+WHERE rule_name = ?
+  AND hostname = ?
+  AND created_at >= ?
+`, "dynamic_"+r.Name, hostname, since).Scan(&count)
+	if err != nil {
+		return false, err
+	}
+
+	return count > 0, nil
+}
+
+func parseCSVStrings(v string) []string {
+	parts := strings.Split(v, ",")
+	out := make([]string, 0, len(parts))
+
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			out = append(out, p)
+		}
+	}
+
+	return out
+}
+
+func parseCSVUint32(v string) []uint32 {
+	parts := strings.Split(v, ",")
+	out := make([]uint32, 0, len(parts))
+
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p == "" {
+			continue
+		}
+
+		n, err := strconv.ParseUint(p, 10, 32)
+		if err != nil {
+			continue
+		}
+
+		out = append(out, uint32(n))
+	}
+
+	return out
+}
+
+func buildInClause(field string, count int) string {
+	if count <= 0 {
+		return ""
+	}
+
+	var sb strings.Builder
+	sb.WriteString(" AND ")
+	sb.WriteString(field)
+	sb.WriteString(" IN (")
+
+	for i := 0; i < count; i++ {
+		if i > 0 {
+			sb.WriteString(",")
+		}
+		sb.WriteString("?")
+	}
+
+	sb.WriteString(")")
+	return sb.String()
+}
+
+func dynamicRuleMatches(r DynamicRule, fields map[string]string) bool {
+	if r.MatchField == "" || r.MatchOperator == "" || r.MatchValue == "" {
+		return true
+	}
+
+	actual := strings.TrimSpace(fields[r.MatchField])
+	expected := strings.TrimSpace(r.MatchValue)
+
+	switch strings.ToLower(r.MatchOperator) {
+	case "eq":
+		return strings.EqualFold(actual, expected)
+
+	case "contains":
+		return strings.Contains(
+			strings.ToLower(actual),
+			strings.ToLower(expected),
+		)
+
+	case "in":
+		values := parseCSVStrings(expected)
+		for _, v := range values {
+			if strings.EqualFold(actual, v) {
+				return true
+			}
+		}
+		return false
+
+	default:
+		return false
+	}
+}
+
+func buildSQLMatchCondition(r DynamicRule) (string, []any) {
+	fieldMap := map[string]string{
+		"hostname":     "hostname",
+		"channel":      "channel_name",
+		"event_id":     "event_id",
+		"target_user":  "target_user",
+		"subject_user": "subject_user",
+		"src_ip":       "src_ip",
+		"workstation":  "workstation",
+		"process_name": "process_name",
+		"msg":          "msg",
+	}
+
+	col, ok := fieldMap[strings.ToLower(strings.TrimSpace(r.MatchField))]
+	if !ok {
+		return "", nil
+	}
+
+	op := strings.ToLower(strings.TrimSpace(r.MatchOperator))
+	val := strings.TrimSpace(r.MatchValue)
+
+	switch op {
+	case "eq":
+		return col + " = ?", []any{val}
+
+	case "contains":
+		return col + " LIKE ?", []any{"%" + val + "%"}
+
+	case "in":
+		values := parseCSVStrings(val)
+		if len(values) == 0 {
+			return "", nil
+		}
+
+		var sb strings.Builder
+		sb.WriteString(col)
+		sb.WriteString(" IN (")
+
+		args := make([]any, 0, len(values))
+		for i, v := range values {
+			if i > 0 {
+				sb.WriteString(",")
+			}
+			sb.WriteString("?")
+			args = append(args, v)
+		}
+
+		sb.WriteString(")")
+		return sb.String(), args
+	}
+
+	return "", nil
+}
+
 func (s *server) runDetectionsOnce() {
 	ctx, cancel := context.WithTimeout(context.Background(), s.cfg.DetectionInterval)
 	defer cancel()
@@ -1522,6 +2275,7 @@ func (s *server) runDetectionsOnce() {
 		{"password_spray", s.detector.runPasswordSprayRule},
 		{"success_after_failures", s.detector.runSuccessAfterFailuresRule},
 		{"new_source_ip_for_user", s.detector.runNewSourceIPForUserRule},
+		{"dynamic_rules", s.detector.runDynamicRules},
 	}
 
 	for _, rule := range rules {
@@ -1599,8 +2353,8 @@ WHERE is_enabled = 1
 
 		minutes := int(windowEnd.Sub(lastSeen.UTC()).Minutes())
 
-		score := math.Max(1, float64(minutes)/float64(int(d.cfg.OfflineAfter.Minutes())))
-		severity := severityFromScore(score, 1.5, 3.0)
+		score := math.Min(1.0, math.Max(0.1, float64(minutes)/float64(int(d.cfg.OfflineAfter.Minutes()))))
+		severity := "low"
 
 		d.anomalyScoreGauge.WithLabelValues(host, "agent_offline").Set(score)
 
@@ -2150,6 +2904,8 @@ func NormalizeEventXML(xmlStr string) NormalizedEvent {
 					out.SubStatusText = v
 				case "FailureReason":
 					out.FailureReason = v
+				case "MemberName":
+					out.MemberName = v
 				}
 			}
 		}