End-to-end workflow that turns SigmaHQ rules into SDL Scheduled
custom-detection rules:
1. SIEM-toolkit provides the coverage map to find what's thin --
MITRE ATT&CK heatmap across all detection library rules, rule
firing status (active vs never-fired).
2. Pick Sigma rules (https://github.com/SigmaHQ/sigma) that target
those tactics.
3. Convert the Sigma rules to PowerQuery with
pysigma-backend-sentinelone-pq.
4. Smoke-test against your tenant's /api/powerQuery, deploy via
/web/api/v2.1/cloud-detection/rules as Scheduled PQ rules in Draft.
5. Re-running on a different tenant is just re-pointing the
credentials -- the converted .pq bodies travel as-is.
Files:
README_sigma_pipeline.md full workflow doc
recommend_sigma_imports.py coverage-map reader -> rule shortlist
probe_wel_schema.py WEL parser field discovery
convert_test_deploy_sigma.py pick + convert + 3 variants + deploy
fixup_rules_6_7.py OriginalFileName pre-processor
run_sigma_on_tenant.py redeploy already-converted bodies
verify_rule_exists_via_put.py PUT-existence test (RBAC workaround)
verify_deployed_sigma_rules.py RBAC visibility diagnostic
tenant_config.example.json credentials template (gitignored real one)
Each converted rule emits three PowerQuery variants:
<stem>.pq faithful (S1 DV schema)
<stem>.relaxed.pq drops endpoint.os + event.type clauses
<stem>.wel.pq rewritten onto microsoft_windows_eventlog-latest
All scripts read credentials from tenant_config.json (or the
SIEM_TOOLKIT_CONFIG env var), discover the target site_id at runtime,
and persist deployed rule IDs to deployed_rule_ids.json so the verify
scripts work without hardcoded IDs.
- Fetch detection library rules from platform-rules API at startup (falls
back to extracted.json); adds Sync Detection Library button for refresh
- Parser column simplified to ✓ Parsed / ✗ Not Parsed
- Detection counts now use library rules only (exclude custom STAR rules)
- Add close-match suggestions for dataSource.name mismatches (e.g. CloudTrail
→ AWS CloudTrail, Microsoft 365 Collaboration → Microsoft O365)
- Exclude SentinelOne Ranger AD from coverage map (native S1 source)
- Add success feedback banners to Load SDL Parsers and Sync Library buttons
- Remove rule_counts.json manual override; extracted.json is source of truth
- Remove Load Detections button; rules auto-import on backend startup
- Add get_account_id() and get_platform_rules() to s1_client
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
marc