Initial commit: SIEM Toolkit for SentinelOne

Dockerized SecOps toolkit with:
- Coverage Map: STAR rule vs SDL parser field coverage analysis
- Ingest Dashboard: PowerQuery-powered event volume and source breakdown
- Onboarding Assistant: AI-guided log source onboarding with Claude
- Parser management via SDL MCP integration

Stack: FastAPI + PostgreSQL backend, nginx-served HTML frontend, Docker Compose.
PowerQuery runs via Scalyr XDR API (SDL_XDR_URL + SDL_LOG_READ_KEY).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

parsers/crowdstrike_falcon-latest

@@ -0,0 +1,25 @@
+{
+  attributes: {
+    dataset: "Endpoint",
+    "dataSource.name": "CrowdStrike Falcon",
+    "dataSource.vendor": "CrowdStrike",
+    "dataSource.category": "security"
+  }
+  patterns: {
+    keyPattern: "\\w+"
+    lastValuePattern: "[\\w\\s]+"
+  },
+  formats: [
+    {
+      format: "CEF:$version$\\|$deviceVendor$\\|$deviceProduct$\\|$deviceVersion$\\|$signatureID$\\|$name$\\|$severity$\\|$extension$"
+    },
+    {
+      format: ".*[\\s]$_=keyPattern$=$_$ \\w+=",
+      repeat: true
+    },
+    {
+      format: ".*\\s$_=keyPattern$=$_=lastValuePattern$",
+      repeat: true
+    }
+  ]
+}