When using a sandbox, we expect to gain as much information as possible through dynamic analysis, including behavior, file modifications, and external machine interactions. However, the amount of information is vast and low-level, and during analysis, higher-level information such as which family it belongs to and which ATT&CK attack techniques are used are desired. In existing sandbox implementations, analysts use predefined rules, such as combinations of specific APIs or strings, extracted from the analyzed information. These rules are effective but time-consuming and effortful to produce, and they are also more specific. In this talk, I will share how we use APIs and dynamic string results generated by the sandbox, combined with malicious program families and ATT&CK tags produced by predefined rules as training data, to identify hidden relationships different from the predefined rules among samples marked as the same type. We feed these results back to the sandbox as new rules, achieving the goal of automatically generating rules.