End-to-end workflow that turns SigmaHQ rules into SDL Scheduled
custom-detection rules:
1. SIEM-toolkit provides the coverage map to find what's thin --
MITRE ATT&CK heatmap across all detection library rules, rule
firing status (active vs never-fired).
2. Pick Sigma rules (https://github.com/SigmaHQ/sigma) that target
those tactics.
3. Convert the Sigma rules to PowerQuery with
pysigma-backend-sentinelone-pq.
4. Smoke-test against your tenant's /api/powerQuery, deploy via
/web/api/v2.1/cloud-detection/rules as Scheduled PQ rules in Draft.
5. Re-running on a different tenant is just re-pointing the
credentials -- the converted .pq bodies travel as-is.
Files:
README_sigma_pipeline.md full workflow doc
recommend_sigma_imports.py coverage-map reader -> rule shortlist
probe_wel_schema.py WEL parser field discovery
convert_test_deploy_sigma.py pick + convert + 3 variants + deploy
fixup_rules_6_7.py OriginalFileName pre-processor
run_sigma_on_tenant.py redeploy already-converted bodies
verify_rule_exists_via_put.py PUT-existence test (RBAC workaround)
verify_deployed_sigma_rules.py RBAC visibility diagnostic
tenant_config.example.json credentials template (gitignored real one)
Each converted rule emits three PowerQuery variants:
<stem>.pq faithful (S1 DV schema)
<stem>.relaxed.pq drops endpoint.os + event.type clauses
<stem>.wel.pq rewritten onto microsoft_windows_eventlog-latest
All scripts read credentials from tenant_config.json (or the
SIEM_TOOLKIT_CONFIG env var), discover the target site_id at runtime,
and persist deployed rule IDs to deployed_rule_ids.json so the verify
scripts work without hardcoded IDs.
marc