[REVIEW] detection-engineering: add telemetry readiness and rule-health evidence gates

[MAUROCERON]

Review gap

detection-engineering maps Sigma rules to ATT&CK techniques and asks for validation, but it does not require evidence that the underlying telemetry and deployed rule are still healthy at assessment time.

This can overstate coverage when a rule exists but:

• the required ATT&CK data component is no longer ingested;
• the collector or connector has stale last_seen data;
• parser/field normalization changed after Sigma conversion;
• the SIEM rule is disabled, in test-only mode, or failing scheduled runs;
• suppressions/exceptions hide all matching events;
• retention is shorter than the detection or investigation window.

Expected improvement

Add a telemetry readiness and rule-health evidence gate requiring reviewers to document:

• ATT&CK data component and Sigma logsource mapping;
• collector/connector health and most recent event timestamp;
• parser/field mapping for fields used by the rule;
• deployed SIEM rule ID/status/version and run health;
• suppression/exception owner, expiry, and effect;
• positive/negative sample evidence and retention window;
• a Not Evaluable outcome when coverage is only theoretical.

Suggested validation fixtures

Add edge cases for stale log sources, parser drift, disabled analytics rules, overbroad suppressions, insufficient retention, and a complete healthy telemetry path.

References checked

• MITRE ATT&CK Data Components: https://attack.mitre.org/datacomponents/
• Sigma Rules Specification: https://sigmahq.io/sigma-specification/specification/sigma-rules-specification.html
• Microsoft Sentinel health tables reference: https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference

Payment details can be provided privately after maintainer acceptance.

[MAUROCERON]

Implemented in PR #1418: #1418