Skip to content

s1-secops-skills v1.2.8: detection-as-code learnings across skills#74

Merged
marcorottigni-s1 merged 6 commits into
Sentinel-One:mainfrom
pmoses-s1:feat/dac-learnings-v1.2.8
Jul 8, 2026
Merged

s1-secops-skills v1.2.8: detection-as-code learnings across skills#74
marcorottigni-s1 merged 6 commits into
Sentinel-One:mainfrom
pmoses-s1:feat/dac-learnings-v1.2.8

Conversation

@pmoses-s1

Copy link
Copy Markdown
Contributor

Summary

Captures the detection-as-code validation learnings from live testing into the relevant skills, and bumps the plugin to 1.2.8. No new solution, this hardens sdl-solutions DaC plus three sibling skills with confirmed-live behaviours.

Learnings added

  • mgmt-console-api (custom detection rules + alerts): 1.0 operators (ContainsCIS) are accepted at create but do not evaluate under queryLang 2.0 and the rule silently never fires (use contains:anycase); alerts inherit the rule description; events/correlation alerts appear in /cloud-detection/alerts while scheduled alerts surface only in UAM; scheduled rules sit in Activating (up to ~1h) and every PUT resets activation.
  • sdl-api (HEC): use flat dotted keys ({"event.category":"firewall"}), nested OCSF drops reserved namespaces; HEC data drives all three custom-rule types on an AI-SIEM tenant.
  • powerquery: 1.0-vs-2.0 operator note in the operator reference.
  • sdl-solutions (Detection-as-Code): the metadata-into-description [DaC] footer pattern and an end-to-end HEC validation recipe. Scaffold updated: dac_sync.py folds [metadata] (mitre/tactics/tags/owner) into an idempotent footer, rule.schema.json documents the keys, and the events example uses contains:anycase.

Testing

All learnings were confirmed live on an AI-SIEM tenant: all three DaC rule types were enabled, fired from HEC-simulated data, and each alert carried the [DaC] MITRE/tactics/tags/owner footer.

Release

Plugin version 1.2.7 -> 1.2.8; dist/ rebuilt (s1-secops-skills-v1.2.8.plugin).

pmoses-s1 added 2 commits July 8, 2026 13:55
- mgmt-console-api: custom-rule + alert operational learnings (1.0 operators do not evaluate at queryLang 2.0 and silently never fire; alerts inherit rule description; events/correlation vs scheduled alert-surface split; scheduled activation latency + PUT re-activation)
- sdl-api: HEC ingestion notes (flat dotted keys beat nested JSON; HEC drives all three custom-rule types on AI-SIEM)
- powerquery: 1.0-vs-2.0 operator note (ContainsCIS -> contains:anycase)
- sdl-solutions: DaC playbook metadata-into-description footer + HEC end-to-end validation recipe; scaffold engine folds metadata into a [DaC] footer; events example uses contains:anycase
- version bump to 1.2.8, rebuilt dist bundles
- monitors/requirements.txt: replace version-only pins with a fully hash-locked
  resolution (direct + transitive, 24 packages) generated from requirements.in
  via pip-compile --generate-hashes; verified installable under --require-hashes.
- monitors/requirements.in: add regeneration source.
- .gitignore: ignore __pycache__/ and *.pyc/*.pyo.
- remove accidentally-tracked monitors/__pycache__/*.pyc bytecode.
- README: note the lock is hash-pinned and how to regenerate.

@marcorottigni-s1 marcorottigni-s1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved.

@marcorottigni-s1 marcorottigni-s1 merged commit cd5b5c3 into Sentinel-One:main Jul 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants