Skip to content

MVP polish: TLS rule RS-TLS-001, deploy script, status badge (#153)#154

Merged
TFT444 merged 2 commits into
devfrom
feature/mvp-polish
Jun 23, 2026
Merged

MVP polish: TLS rule RS-TLS-001, deploy script, status badge (#153)#154
TFT444 merged 2 commits into
devfrom
feature/mvp-polish

Conversation

@TFT444

@TFT444 TFT444 commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

Three focused improvements to bring RetailShield to professional MVP standard.

Change 1 — TLS Downgrade / Weak Cipher KQL rule

File: detection-rules/retail/tls_downgrade_pos.kql

Rule RS-TLS-001 detects POS endpoints negotiating TLS 1.0/1.1 or weak cipher suites (RC4, DES, 3DES, NULL, EXPORT, anon). Directly maps to PCI-DSS v4.0 requirement 4.2.1 — strong cryptography for cardholder data in transit.

  • MITRE ATT&CK: T1557 — Adversary-in-the-Middle
  • Tactic: Credential Access / Collection
  • Severity: High (escalates to Critical if > 20 events from same source)
  • Source table: CommonSecurityLog (firewall/proxy CEF connector)
  • Lookback: 1 hour, runs every 30 minutes
  • Rule count: 23 → 24 (all 24/24 pass validate_kql.py)

Change 2 — One-command deployment script

File: scripts/deploy_all.py

Deploys all RetailShield analytics rules to a target Sentinel workspace via azure-mgmt-securityinsight. Supports --dry-run to preview without deploying.

python scripts/deploy_all.py --workspace <name> --resource-group <rg>
python scripts/deploy_all.py --workspace <name> --resource-group <rg> --dry-run

Change 3 — Status badge

File: README.md

In Development (yellow) → Active MVP (brightgreen)

How to test

# KQL validator — should show 24/24
python scripts/validate_kql.py

# Deploy script syntax check
python -c "import ast; ast.parse(open('scripts/deploy_all.py').read()); print('OK')"

Closes #153

@TFT444
MVP polish: add TLS rule RS-TLS-001, deploy script, update status bad…
d989a01 
…ge (closes #153)

- detection-rules/retail/tls_downgrade_pos.kql: RS-TLS-001 detects POS
  endpoints negotiating TLS 1.0/1.1 or weak ciphers (RC4, DES, NULL,
  EXPORT) — MITRE T1557, PCI-DSS v4.0 req 4.2.1. Passes validate_kql.py.
  Rule count: 23 → 24 (all 24/24 pass).
- scripts/deploy_all.py: one-command deployment script using Azure SDK
  (azure-mgmt-securityinsight) with --dry-run support.
- README.md: status badge updated from In Development to Active MVP.
@vercel

vercel Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
retail-shield Ready Ready Preview, Comment Jun 23, 2026 5:44pm

@TFT444
fix(lint): remove unused import and bare f-string in deploy_all.py
ef5056a 
F401 — ScheduledAlertRule imported but unused (removed).
F541 — f-string with no placeholders on line 71 (converted to plain string).
@TFT444 TFT444 merged commit a7b0254 into dev Jun 23, 2026
9 checks passed
@TFT444 TFT444 deleted the feature/mvp-polish branch June 23, 2026 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TFT444