# Rule Mapping Table
This notebook displays a structured mapping between use case rule IDs and their technical detection flags.
The table supports alignment between detection logic, alert labeling, and compliance requirements.

In [2]:
import pandas as pd

# Define the rule mapping table
rule_mapping = pd.DataFrame([
    {
        'rule_id': 'UC-01',
        'use_case': 'Non-EU Transfer Without Consent',
        'detection_flag': 'non_eu_flag',
        'severity': 'High',
        'gdpr_article': 'Art. 44',
        'description': 'Transfer of data to non-EU location without active consent.'
    },
    {
        'rule_id': 'UC-02',
        'use_case': 'Access to Raw Diagnostic Data',
        'detection_flag': 'raw_diagnostic_flag',
        'severity': 'High',
        'gdpr_article': 'Art. 5, 32',
        'description': 'Unmasked access to diagnostic data (e.g. DICOM logs).'
    },
    {
        'rule_id': 'UC-03',
        'use_case': 'Consent Flag Manipulation Pattern',
        'detection_flag': 'consent_violation_flag',
        'severity': 'Medium',
        'gdpr_article': 'Art. 7',
        'description': 'Unusual toggling of consent state before sensitive operations.'
    },
    {
        'rule_id': 'UC-04',
        'use_case': 'AI Model Behavior Drift / Manipulation',
        'detection_flag': 'model_drift_flag',
        'severity': 'Medium',
        'gdpr_article': 'Art. 22',
        'description': 'Detection of shift in model output or potential adversarial interference.'
    },
    {
        'rule_id': 'UC-05',
        'use_case': 'Suspicious Admin Access After Hours',
        'detection_flag': 'admin_access_outside_hours',
        'severity': 'High',
        'gdpr_article': 'Art. 32',
        'description': 'Privileged access outside business hours may indicate misuse.'
    }
])

# Display rule mapping table (portable version)
display(rule_mapping)


Unnamed: 0,rule_id,use_case,detection_flag,severity,gdpr_article,description
0,UC-01,Non-EU Transfer Without Consent,non_eu_flag,High,Art. 44,Transfer of data to non-EU location without ac...
1,UC-02,Access to Raw Diagnostic Data,raw_diagnostic_flag,High,"Art. 5, 32",Unmasked access to diagnostic data (e.g. DICOM...
2,UC-03,Consent Flag Manipulation Pattern,consent_violation_flag,Medium,Art. 7,Unusual toggling of consent state before sensi...
3,UC-04,AI Model Behavior Drift / Manipulation,model_drift_flag,Medium,Art. 22,Detection of shift in model output or potentia...
4,UC-05,Suspicious Admin Access After Hours,admin_access_outside_hours,High,Art. 32,Privileged access outside business hours may i...
