Existing methods for generating detection rules rely on specific input-output pairs and lack a unified framework. This work formalizes the task for the first time as a unified mapping from contextual and target-language inputs to detection rules, introducing UniRule—a novel framework that models semantic distance in a dual semantic projection space encompassing detection intent and detection logic to characterize optimal rules. UniRule integrates an agent-based RAG architecture to achieve generalization across diverse contexts and languages. Experimental results demonstrate that UniRule significantly outperforms pure large language model (LLM) approaches across twelve distinct scenarios, achieving a Bradley-Terry preference coefficient of 0.52, thereby validating its effectiveness and broad applicability.

Existing methods for detection rule generation are tightly coupled to specific input-output combinations, requiring dedicated pipelines for each. We formalize this problem as a unified mapping f:C*L->R and characterize optimal rules through semantic distance. We propose UniRule, an agentic RAG framework built on dual semantic projection spaces: detection intent and detection logic. This design enables retrieval and generation across arbitrary contexts and target languages within a single system. Experiments across 12 scenarios (3 languages, 4 context types, 12,000 pairwise comparisons) show that UniRule significantly outperforms pure LLM generation with a Bradley-Terry coefficient of 0.52, validating semantic projection as an effective abstraction for unified rule generation. Together, the formalization, method, and evaluation provide an initial framework for studying detection rule generation as a unified task.