Skip to content

Add Sentinel field mapping validator and CI job#78

Merged
TFT444 merged 3 commits into
devfrom
feature/field-mapping-validation
Jun 6, 2026
Merged

Add Sentinel field mapping validator and CI job#78
TFT444 merged 3 commits into
devfrom
feature/field-mapping-validation

Conversation

@TFT444
Copy link
Copy Markdown
Owner

@TFT444 TFT444 commented Jun 4, 2026

Summary

Closes #72

Adds scripts/validate_field_mapping.py — a static validator that checks every ARM analytics rule template in sentinel/analytics-rules/ — and wires it into CI as a new field-mapping-validation job (job 6, included in the ci-success gate).

What the validator checks

  1. Required ARM propertiesdisplayName, severity, query, queryFrequency, queryPeriod, tactics, techniques, entityMappings, customDetails
  2. Severity — must be one of: Informational, Low, Medium, High, Critical
  3. ISO 8601 durationsqueryFrequency and queryPeriod must match PT#M/H/D/S
  4. Tactics — non-empty array
  5. MITRE techniques — each entry must match T#### or T####.###
  6. Entity mappings — non-empty array; each entry must have entityType and identifier in fieldMappings
  7. customDetails — must include PlaybookTrigger and RiskScore
  8. Column cross-reference — warns when an entity mapping or customDetails column name is not found in the corresponding KQL rule's output columns (detected via extend/project/summarize analysis)

The validator exits 0 with a message when sentinel/analytics-rules/ doesn't exist yet (so CI passes on branches that predate that directory).

CI change

Added job field-mapping-validation to .github/workflows/ci.yml between the existing job 5 (frontend-build) and the gate. Added to needs list in ci-success.

How to test

  1. Run locally (clean):

    python scripts/validate_field_mapping.py
# Expected when sentinel/analytics-rules/ present: "All 13 analytics rule templates passed"
# Expected when directory absent: "No analytics rules directory found — nothing to validate."

  2. Introduce a deliberate error — edit any sentinel/analytics-rules/*.json and remove the "RiskScore" key from customDetails. Re-run the script and confirm it exits 1 with a clear error message.

  3. Invalid technique code — change a "T1566.001" to "1566" in techniques, confirm the validator catches it.

  4. CI — the new field-mapping-validation job should appear in the Actions run for this PR and show green (directory absent → exit 0).

Generated by Claude Code

@TFT444
Add Sentinel analytics rule field mapping validator and CI job
949683f 
Scripts/validate_field_mapping.py checks every ARM template in
sentinel/analytics-rules/ for: required properties, valid severity/duration
format, MITRE technique codes, entityMappings structure, required
customDetails fields (PlaybookTrigger, RiskScore), and cross-references
entity mapping column names against KQL output columns.

Adds field-mapping-validation as job 6 in ci.yml and includes it in
the ci-success gate.

Closes #72
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
retail-shield Error Error Jun 6, 2026 2:05pm

@TFT444
Fix corrupted test file and remove unused import in validator
84a3842 
Restores proper newlines in test_kql_rules.py (was stored as a single
line with literal \n sequences). Removes unused `import os` from
validate_field_mapping.py (flake8 F401).
@TFT444 TFT444 self-assigned this Jun 6, 2026
@TFT444 TFT444 merged commit 9f537ba into dev Jun 6, 2026
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TFT444 TFT444

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TFT444