sdl-solutions: Detection as Code (s1-secops-skills v1.2.5)#72
Merged
jham-s1 merged 11 commits intoJul 6, 2026
Merged
Conversation
New sdl-solutions DaC playbook + detection-as-code-starter scaffold: author detection rules as TOML in Git, validate on PR, sync to the Custom Detection Rule API on merge. Covers single-event, correlation, and scheduled rule types; ships a zero-dependency dac_sync.py engine (TOML to API, idempotent create-or-update) with lint/sync CI for GitHub, GitLab, and Azure. mgmt-console-api: correlation rules require queryLang 2.0 (confirmed live). Version bump to 1.2.5, rebuilt dist bundles, CHANGELOG entry.
…aC + RBA Quote the SKILL.md description so colons inside it (Catalog:, z-score:, Triggers:) no longer break YAML frontmatter parsing. Add Detection as Code and Risk-Based Alerting to docs/skills.md (triggers, solution catalog, playbooks list). Rebuilt sdl-solutions.skill and the plugin bundle.
Contributor
|
Helping Prithvi, I will attempt to approve and merge this PR. apporved |
jham-s1
approved these changes
Jul 6, 2026
jham-s1
left a comment
Contributor
There was a problem hiding this comment.
Approving these changes to support Prithvi
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a Detection as Code (DaC) solution to
sdl-solutions: detection engineers author rules as TOML in Git, a pull request runs validation and four-eyes review, and a merge syncs the changed rules to the SentinelOne Custom Detection Rule API. Covers all three rule types (single-eventevents, multi-eventcorrelation, scheduled PowerQuery) with CI for GitHub, GitLab, and Azure. Separate, self-contained PR; the diff is DaC-only on top of currentmain(v1.2.4 to v1.2.5).What's included
skills/sdl-solutions/references/detection-as-code.md-- the orchestration playbook (prereqs, repo scaffold, branch protection / CODEOWNERS / RBAC, lint-on-PR + sync-on-merge CI, the TOML rule format, dry-run then deploy, monitor/refine).skills/sdl-solutions/assets/detection-as-code-starter/-- a ready-to-use repo scaffold: a zero-dependencydac_sync.py(TOML to Custom Detection API JSON, validate, idempotent create-or-update, lint/dry-run/sync/changed-only/rollback),dac_lint.py,rule.schema.json, working TOML examples per rule type, GitHub/GitLab/Azure CI, and CODEOWNERS.docs/solutions/detection-as-code.md-- the human guide.skills/mgmt-console-api/SKILL.md-- correlation rules requirequeryLang: "2.0"(confirmed live; without it the POST returns HTTP 400query lang must be 2.0).plugin.json+ marketplace), rebuiltdist/bundles, CHANGELOG entry.Testing
dac_sync.py --lint.s1-secops-skills-v1.2.5.pluginverified to contain the DaC playbook, scaffold, anddac_sync.py; no__pycache__/.DS_Storeleaked.Notes
<.sentinelone-<skill>-><skill>,sentinelone-mcp->s1-secops-mcp.