Add SIEM suppression and lookup freshness gates

[alejandrorivas-pixel]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: siem-rules
Skill path: skills/secops/siem-rules/

Closes #1221.

What Was Wrong

The skill treated suppression windows, exclusions, watchlists, and lookup tables mostly as tuning conveniences. That left two review problems:

• Benign, scoped maintenance suppressions could be over-scored as unsafe if the skill did not distinguish owner/ticket/expiry evidence.
• Broad suppressions and stale lookups could silently hide detections while appearing syntactically valid and operationally healthy.

What This PR Fixes

This PR adds a focused suppression and lookup governance model for SIEM rules:

• exception evidence requirements for owner, ticket/change reference, bounded scope, created date, expiry/review date, reason, and approval
• lookup/watchlist freshness requirements for source/feed, last_updated, TTL or expires_at, schema mapping, and refresh job status
• severity adjustments for broad suppressions and stale/failing lookups
• output fields for suppression and lookup evidence
• a new pitfall covering untrusted suppressions/lookups
• vulnerable and benign fixtures for KQL and SPL examples

Evidence

Before (skill misses this / false positive on this):

let excluded_users = dynamic(["admin", "svc-backup", "testuser"]);
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == 0
| where UserPrincipalName !in (excluded_users)

After (now correctly handled):
The skill now flags unowned, unbounded, no-expiry suppressions as a detection blind spot, while accepting scoped maintenance exceptions with owner, ticket, start/end time, and entity scope.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

New fixtures:

• skills/secops/siem-rules/tests/vulnerable/global-suppression-no-expiry.kql
• skills/secops/siem-rules/tests/vulnerable/stale-threat-lookup-no-freshness.spl
• skills/secops/siem-rules/tests/benign/maintenance-exception-with-expiry.kql
• skills/secops/siem-rules/tests/benign/governed-lookup-freshness.spl

Validation

• git diff --check
• git diff --cached --check
• Markdown fence balance check for skills/secops/siem-rules/SKILL.md
• ASCII check for changed SIEM files
• Content marker checks for suppression/lookup governance sections and fixtures
• Prompt-injection term scan on new fixtures
• Reference URL reachability via curl for Microsoft Sentinel watchlists and Splunk lookup docs

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Payment details can be provided privately after maintainer acceptance.