Skip to content

Commit b73ea3d

Browse files
authored
Merge pull request #72 from pmoses-s1/feat/sdl-solutions-detection-as-code
sdl-solutions: Detection as Code (s1-secops-skills v1.2.5)
2 parents c6e4048 + 8c97af9 commit b73ea3d

67 files changed

Lines changed: 3657 additions & 491 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.claude-plugin/marketplace.json

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,8 +13,8 @@
1313
{
1414
"name": "s1-secops-skills",
1515
"source": "./plugins/s1-secops-skills",
16-
"description": "SentinelOne SecOps skills for Claude: PowerQuery threat hunting, Management Console API, Singularity Data Lake API, SDL dashboard authoring, SDL log parsing, Hyperautomation workflow generation, source-agnostic behavioral baselining with z-score anomaly detection, and packaged SDL solution deployment (data source onboarding to OCSF with device/user enrichment, dashboard, MITRE-mapped detections and a threat-response flow; plus asset enrichment of raw logs).",
17-
"version": "1.2.4",
16+
"description": "SentinelOne SecOps skills for Claude: PowerQuery threat hunting and STAR/Custom Detection rules; Management Console API; Singularity Data Lake API; SDL dashboards; log parsing (OCSF); Hyperautomation SOAR; z-score anomaly baselining; autonomous DFIR alert investigation (soc-investigator); and one-prompt SDL solutions: source onboarding, asset enrichment, UEBA, ingest health, detection exclusions, Risk-Based Alerting, alert noise reduction, and Detection as Code.",
17+
"version": "1.2.7",
1818
"author": {
1919
"name": "Prithvi Moses",
2020
"email": "prithvi.moses@sentinelone.com"
@@ -33,8 +33,11 @@
3333
"ocsf",
3434
"dashboards",
3535
"detections",
36-
"threat-hunting"
36+
"threat-hunting",
37+
"dfir",
38+
"incident-response",
39+
"investigation"
3740
]
3841
}
3942
]
40-
}
43+
}

CHANGELOG.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
### Added - soc-investigator skill + sdl-solutions: Alert noise reduction (s1-secops-skills v1.2.6)
11+
12+
- New **soc-investigator** skill: autonomous, staged DFIR investigation of SentinelOne alerts (SHORT/MEDIUM/LONG modes) with tool discovery, interactive intake, IOC enrichment, per-endpoint PowerQuery forensics, and optional third-party correlation and anomaly detection. Carries the evidence-discipline and verdict gates from the SOC Analyst standard and the SDL threat-hunt-and-correlation method (`references/evidence-and-verdict-discipline.md`, `references/correlation-and-hunt-methodology.md`). Authored by Joel Mora.
13+
- New `sdl-solutions` solution **Alert noise reduction**: find the sources and signatures flooding the alert queue, separate ingested and already-actioned noise from real detections, recommend an ingestion-severity filter, auto-resolve already-mitigated alerts with a note, and ship a noise-vs-signal dashboard. Adds `references/alert-noise-reduction.md`, `assets/alertnoise_dashboard.template.json`, `assets/alertnoise_autoresolve_ha.template.json`, and `docs/solutions/alert-noise-reduction.md`.
14+
- Plugin version bumped to **1.2.6** (`.claude-plugin/plugin.json`, marketplace entry) and rebuilt bundles in `dist/`.
15+
16+
### Added - sdl-solutions: Detection as Code (s1-secops-skills v1.2.5)
17+
18+
- New `sdl-solutions` solution **Detection as Code (DaC)**: stand up a Git + CI pipeline where detection engineers author rules as TOML, a pull request triggers validation and four-eyes review, and a merge syncs the changed rules to the SentinelOne Custom Detection Rule API. Supports all three rule types (single-event `events`, multi-event `correlation`, and scheduled PowerQuery). Adds `references/detection-as-code.md`, the `assets/detection-as-code-starter/` repo scaffold (a zero-dependency `dac_sync.py` TOML-to-API validate/convert/idempotent-sync engine, `dac_lint.py`, `rule.schema.json`, working TOML examples per rule type, `.github/workflows/{lint,sync}.yml`, `CODEOWNERS`, and GitLab/Azure CI equivalents), and `docs/solutions/detection-as-code.md`.
19+
- `mgmt-console-api`: corrected the Custom Detection Rule type table, `queryType: "correlation"` requires `queryLang: "2.0"` (confirmed live; without it the POST returns HTTP 400 `query lang must be 2.0`). Only single-event `events` rules use 1.0.
20+
- Plugin version bumped to **1.2.5** (`.claude-plugin/plugin.json`, marketplace entry) and rebuilt bundles in `dist/`.
21+
1022
### Added - sdl-solutions: scheduled detection exclusions (s1-secops-skills v1.2.2)
1123

1224
- New `sdl-solutions` solution **scheduled detection exclusions**: suppress known-good noise in a scheduled detection over a third-party source by keying it against a CSV exclusion list (assets by IP/CIDR/host, or custom domains/users/values) loaded as an SDL lookup and applied with a lookup anti-join, plus an exclusion-effectiveness dashboard. CIDR/wildcard matches (which the STAR rule validator rejects) run via a Hyperautomation flow that posts a self-contained OCSF S1 SecurityAlert (`class_uid 99602001`) to UAM. Adds `references/scheduled-detection-exclusions.md`, six `assets/exclusion_*` templates, and `docs/solutions/scheduled-detection-exclusions.md`.

mcp/docker/README.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,12 +28,14 @@ When bumping a pin, edit both. They are checked once via `grep` in CI; a mismatc
2828

2929
| What | Source | Current pin |
3030
|---|---|---|
31-
| Image version (`IMAGE_VERSION`) | this repo | `1.2.2` |
31+
| Image version (`IMAGE_VERSION`) | this repo | `1.2.3` |
3232
| `@pmoses-s1/sentinelone-mcp` | npm | `1.2.2` |
3333
| `@burtthecoder/mcp-virustotal` | npm | `1.0.21` |
34-
| `purple-mcp` | git | `1582c094` (Sentinel-One/purple-mcp main) |
34+
| `purple-mcp` | git | `07d4992` (Sentinel-One/purple-mcp `v0.7.0`, 2026-06-26) |
3535

36-
`IMAGE_VERSION` is the tag the image is published under (`ghcr.io/pmoses-s1/s1-mcps:1.2.2`). It is independent of the underlying MCP versions: bump it when the Dockerfile, dispatcher, or bundled CLAUDE.md changes, even if all three MCP pins stay the same.
36+
`purple-mcp` is pinned to the `v0.7.0` release commit rather than a floating `main`, per upstream security guidance. When a newer release ships, repin here and in `mcp/docker/build.sh`.
37+
38+
`IMAGE_VERSION` is the tag the image is published under (`ghcr.io/pmoses-s1/s1-mcps:1.2.3`). It is independent of the underlying MCP versions: bump it when the Dockerfile, dispatcher, or bundled CLAUDE.md changes, even if all three MCP pins stay the same.
3739

3840
## Build locally
3941

@@ -42,9 +44,9 @@ When bumping a pin, edit both. They are checked once via `grep` in CI; a mismatc
4244
docker/build.sh
4345

4446
# Smoke test
45-
docker run -i --rm s1-mcps:1.2.2 help
47+
docker run -i --rm s1-mcps:1.2.3 help
4648
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"smoke","version":"0.1"}}}' \
47-
| docker run -i --rm s1-mcps:1.2.2 sentinelone-mcp
49+
| docker run -i --rm s1-mcps:1.2.3 s1-secops-mcp
4850
```
4951

5052
The dispatcher accepts `sentinelone-mcp`, `purple-mcp`, `virustotal-mcp`, or `help`.

mcp/docker/build.sh

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,15 @@ set -euo pipefail
1818
# The version of THIS image. Independent of the underlying MCP versions
1919
# below, bump this when the image content (Dockerfile, dispatcher, bundled
2020
# CLAUDE.md) changes, even if all three MCP pins stay the same.
21-
IMAGE_VERSION="${IMAGE_VERSION:-1.2.2}"
21+
IMAGE_VERSION="${IMAGE_VERSION:-1.2.3}"
2222

2323
# ── Pinned MCP versions ──────────────────────────────────────────────────────
2424
S1_MCP_VERSION="${S1_MCP_VERSION:-1.2.2}"
2525
VT_MCP_PACKAGE="${VT_MCP_PACKAGE:-@burtthecoder/mcp-virustotal}"
2626
VT_MCP_VERSION="${VT_MCP_VERSION:-1.0.21}"
27-
PURPLE_MCP_REF="${PURPLE_MCP_REF:-1582c0945101d0da2a158e66d8c329f66f251f27}"
27+
# purple-mcp v0.7.0 (2026-06-26). Pinned to the release commit, not a floating
28+
# branch, per upstream security guidance. Keep in sync with mcp/docker/README.md.
29+
PURPLE_MCP_REF="${PURPLE_MCP_REF:-07d4992089b10affff6163f296b1f6cb5734539f}"
2830

2931
# ── Image identity ───────────────────────────────────────────────────────────
3032
REGISTRY="${REGISTRY:-ghcr.io/pmoses-s1}"

mcp/docker/entrypoint.sh

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
set -e
66

77
case "${1:-help}" in
8-
sentinelone-mcp|s1)
8+
s1-secops-mcp|sentinelone-mcp|s1)
99
exec sentinelone-mcp
1010
;;
1111
purple-mcp|purple)
@@ -19,21 +19,21 @@ case "${1:-help}" in
1919
SentinelOne Claude Skills MCP Stack
2020
2121
Bundled servers (select one per `docker run`):
22-
sentinelone-mcp PowerQuery, SDL, Mgmt Console REST, UAM, Hyperautomation
22+
s1-secops-mcp PowerQuery, SDL, Mgmt Console REST, UAM, Hyperautomation
2323
purple-mcp Alert triage, Purple AI NLQ, Deep Visibility, assets, vulnerabilities
2424
virustotal-mcp External IOC enrichment
2525
2626
Usage:
2727
docker run -i --rm -e S1_CONSOLE_URL -e S1_CONSOLE_API_TOKEN ... \
28-
ghcr.io/pmoses-s1/s1-mcps:latest sentinelone-mcp
28+
ghcr.io/pmoses-s1/s1-mcps:latest s1-secops-mcp
2929
3030
Reference:
3131
https://github.com/Sentinel-One/ai-siem/blob/main/plugins/s1-secops-skills/docs/docker.md
3232
EOF
3333
;;
3434
*)
3535
echo "entrypoint: unknown command '$1'" >&2
36-
echo "valid: sentinelone-mcp, purple-mcp, virustotal-mcp, help" >&2
36+
echo "valid: s1-secops-mcp, purple-mcp, virustotal-mcp, help" >&2
3737
exit 64
3838
;;
3939
esac

plugins/s1-secops-skills/.claude-plugin/plugin.json

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"name": "s1-secops-skills",
3-
"version": "1.2.4",
4-
"description": "SentinelOne SecOps skills for Claude: PowerQuery threat hunting, Management Console API, Singularity Data Lake API, SDL dashboard authoring, SDL log parsing, Hyperautomation workflow generation, source-agnostic behavioral baselining with z-score anomaly detection, and packaged SDL solution deployment (data source onboarding to OCSF with device/user enrichment, dashboard, MITRE-mapped detections and a threat-response flow; plus asset enrichment of raw logs).",
3+
"version": "1.2.7",
4+
"description": "SentinelOne SecOps skills for Claude: PowerQuery threat hunting and STAR/Custom Detection rules; Management Console API; Singularity Data Lake API; SDL dashboards; log parsing (OCSF); Hyperautomation SOAR; z-score anomaly baselining; autonomous DFIR alert investigation (soc-investigator); and one-prompt SDL solutions: source onboarding, asset enrichment, UEBA, ingest health, detection exclusions, Risk-Based Alerting, alert noise reduction, and Detection as Code.",
55
"author": {
66
"name": "Prithvi Moses",
77
"email": "prithvi.moses@sentinelone.com"
@@ -22,7 +22,12 @@
2222
"asset-enrichment",
2323
"onboarding",
2424
"ocsf",
25-
"solutions"
25+
"solutions",
26+
"detection-as-code",
27+
"dac",
28+
"dfir",
29+
"incident-response",
30+
"investigation"
2631
],
2732
"hooks": {
2833
"SessionStart": [
@@ -38,4 +43,4 @@
3843
},
3944
"license": "AGPL-3.0",
4045
"homepage": "https://github.com/Sentinel-One/ai-siem"
41-
}
46+
}

0 commit comments

Comments
 (0)