Bounty type

Skill Improvement ($50-150 potential bounty)

Requested bounty tier: Moderate ($100)

Related review issue: #2077

Summary

This improves detection-engineering by adding telemetry health and Sigma-to-SIEM field mapping evidence gates before coverage can be marked Tested, Operational, or Robust.

A detection can be syntactically valid and deployed while still being blind because required telemetry is stale, delayed, dropped, parsed into different fields, or lost during backend conversion.

Changes

• Bump detection-engineering skill version to 1.0.1.
• Add telemetry health evidence to context collection.
• Add Step 7 for telemetry health and field mapping evidence.
• Require event source population, event volume, last-seen time, latency percentiles, dropped/throttled counts, parser/schema status, field completeness, Sigma-to-SIEM field mapping, and normalized TP/TN samples.
• Add field mapping review guidance for backend conversion correctness.
• Add coverage-level guardrails so unverified telemetry keeps coverage at Theoretical/Tested instead of Operational.
• Extend findings classification and output with telemetry health and field mapping rows.
• Add vulnerable and benign fixtures for missing telemetry vs. verified operational coverage.

Tests

Added scenario fixtures:

• tests/vulnerable/detection-engineering-operational-rule-missing-telemetry.yaml
• tests/benign/detection-engineering-telemetry-health-verified.yaml

Local validation performed:

• git diff --check
• verified required YAML keys in both new fixtures
• marker checks for telemetry health, field mapping, coverage guardrails, output table, pitfall, and changelog

Payment preference

GitHub Sponsors, if accepted.