Initial commit: SIEM Toolkit for SentinelOne

Dockerized SecOps toolkit with:
- Coverage Map: STAR rule vs SDL parser field coverage analysis
- Ingest Dashboard: PowerQuery-powered event volume and source breakdown
- Onboarding Assistant: AI-guided log source onboarding with Claude
- Parser management via SDL MCP integration

Stack: FastAPI + PostgreSQL backend, nginx-served HTML frontend, Docker Compose.
PowerQuery runs via Scalyr XDR API (SDL_XDR_URL + SDL_LOG_READ_KEY).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/db.py

@@ -0,0 +1,46 @@
+import os
+from sqlalchemy import create_engine, Column, Integer, String, Float, DateTime, Text
+from sqlalchemy.dialects.postgresql import JSONB
+from sqlalchemy.orm import declarative_base, sessionmaker
+from datetime import datetime
+
+DATABASE_URL = os.environ.get("DATABASE_URL", "postgresql://siem:siem@db:5432/siem")
+
+engine = create_engine(DATABASE_URL)
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+Base = declarative_base()
+
+
+class ParsedRule(Base):
+    __tablename__ = "parsed_rules"
+    id = Column(Integer, primary_key=True)
+    rule_id = Column(String, unique=True, index=True)
+    name = Column(String)
+    rule_type = Column(String)  # 'star' or 'sigma'
+    fields_used = Column(JSONB)
+    raw = Column(Text)
+    cached_at = Column(DateTime, default=datetime.utcnow)
+
+
+class ParserField(Base):
+    __tablename__ = "parser_fields"
+    id = Column(Integer, primary_key=True)
+    parser_name = Column(String, index=True)
+    field_name = Column(String)
+    field_type = Column(String)
+
+
+class IngestSnapshot(Base):
+    __tablename__ = "ingest_snapshots"
+    id = Column(Integer, primary_key=True)
+    period_days = Column(Integer)
+    data = Column(JSONB)
+    recorded_at = Column(DateTime, default=datetime.utcnow)
+
+
+def get_db():
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()