Update README.md

2026-06-10 13:21:17 +00:00 · 2026-05-22 13:58:13 +02:00
parent d1d92d3967
commit 1e61fa9814
1 changed files with 44 additions and 32 deletions
@@ -32,8 +32,8 @@ browser → nginx (port 3001) → single-page HTML/JS application
                ↓
    ┌───────────────────────────┐
    │  SentinelOne APIs         │
-    │  • Management API         │  demo.sentinelone.net
+    │  • Management API         │  
-    │  • Scalyr XDR PowerQuery  │  xdr.us1.sentinelone.net
+    │  • XDR PowerQuery  │  
    └───────────────────────────┘
 ```
@@ -46,43 +46,29 @@ All services run via Docker Compose. The `parsers/` directory is volume-mounted
 ### 1. Clone and Configure
 ```bash
-git clone https://github.com/mickbrowns1/SIEM-Toolkit.git
+git clone 
-cd SIEM-Toolkit
+cd SIEM-Toolkit-patched
 cp .env.example .env
 ```
 Edit `.env` with your credentials:
 ```env
-S1_BASE_URL=https://demo.sentinelone.net       # Your console URL
+S1_BASE_URL=       # Your console URL
-S1_API_TOKEN=eyJ...                             # Service user API token (account scope or higher)
+S1_API_TOKEN=...                             # Service user API token (account scope or higher)
-SDL_XDR_URL=https://xdr.us1.sentinelone.net    # Scalyr XDR endpoint
+SDL_XDR_URL=    #  XDR endpoint
-SDL_LOG_READ_KEY=1j2IU0S...                     # Data Lake read key
+SDL_LOG_READ_KEY=                    # Data Lake read key
 ANTHROPIC_API_KEY=                              # Optional — not currently used
 ```
-**S1_API_TOKEN** — generate at *Settings → Users → Service Users* in the console. The service user should be provisioned at **account scope** or higher.  
+**S1_API_TOKEN** — generate at *Settings → Users → Service Users* in the console. 
-**SDL_LOG_READ_KEY** — found at *Settings → Integrations → Data Lake API Keys*.
+Ideally, the service user API token must be at **account scope** or higher. Site-scoped tokens will have limited visibility into rules and may see reduced source counts.
-### 2. Add the Detection Library (strongly recommended)
+**SDL_LOG_READ_KEY** 
 The Detection Fields Missing column and per-source detection counts on the Coverage Map require a local detections export. This is generated from the [detection-validator](https://github.com/mickbrowns1/detection-validator) repository.
 ```bash
 # Clone the detection-validator repo alongside this one
 git clone https://github.com/mickbrowns1/detection-validator.git
 cd detection-validator
-# Follow its README to generate the export, then copy the output here:
+### 2. Add Parser Files 
 mkdir -p ../SIEM-Toolkit/data
 cp data/data/detections/extracted.json ../SIEM-Toolkit/data/detections.json
 cd ../SIEM-Toolkit
 ```
 The `data/` directory is gitignored and never committed. Once the stack is running, click **Load Detections** on the Coverage Map to import the rules into the database.
 ### 3. Add Parser Files (optional but strongly recommended)
 Place your SDL parser JSON files into the `parsers/` directory. The backend reads them directly at query time — no rebuild is necessary.
@@ -90,7 +76,7 @@ Place your SDL parser JSON files into the `parsers/` directory. The backend read
 cp ~/my-parsers/*.json parsers/
 ```
-### 4. Start the Stack
+### 3. Start the Stack
 ```bash
 docker-compose up -d --build
@@ -268,9 +254,35 @@ curl -X DELETE http://localhost:8001/api/coverage/reset
 ---
-## Notes
+```
 Nothing pushes parsers to the SDL tenant
 The data flow is strictly one-way: SDL tenant → local disk.
 What actually happens
 ┌──────────────────┐    GET /api/listFiles/logParsers/    ┌──────────────────┐
 │   SDL tenant     │ ───────────────────────────────────▶ │ tools/sync_sdl_  │
 │                  │    GET /api/getFile/logParsers/...   │  parsers.py      │
 └──────────────────┘                                       └────────┬─────────┘
                                                                    │ writes
                                                                    ▼
                                                          ./parsers/<name>
                                                                    │
                                                                    │ bind-mount
                                                                    ▼
                                                          /app/parsers (in container)
                                                                    │
                                                                    │ read-only
                                                                    ▼
                                            ┌──────────────────────────────────┐
                                            │ POST /api/quality/test-parser    │
                                            │ POST /api/quality/sync-from-sdl  │
                                            │ GET  /api/quality/parsers        │
                                            └──────────────────────────────────┘
 Endpoint / 	What it really does
 Sync from SDL (POST /api/quality/sync-from-sdl)		Downloads parsers from the tenant into /app/parsers/
 Load SDL Parsers (UI button)	Just re-indexes whatever files already exist in /app/parsers/
 Test Parser (POST /api/quality/test-parser)		Runs the parser logic locally in Python; tenant never touched
 tools/sync_sdl_parsers.py	(helper)	Downloads parsers; never uploads
 ```
 - The backend queries your **demo tenant** (`demo.sentinelone.net`) — not usea1-purple or any other tenant. Ensure your `S1_BASE_URL` and `SDL_LOG_READ_KEY` are pointed at the same tenant.
 - Parser files in `parsers/` are read at query time, not on startup — add or update files at any point without rebuilding the image.
 - The filter simulator is entirely read-only and makes no changes whatsoever to your tenant configuration.
 - The service user API token must be at **account scope** or higher. Site-scoped tokens will have limited visibility into rules and may see reduced source counts.