Before building the lab you will want to run a script to download and convert sigma rules to KQL. Terraform will then use the files generated by this script to create scheduled query alarm rules Sentinel.
Location: terraform/files/sigma
Inside this folder you have the following files:
convert_rules.sh: This script will download the sigma repository, find all the rules which have the level set as "high" or "critical", and then will convert them to KQL using sigmac. Conerted rules will be output to a new folder called 'converted', which is then read by Terraform
ala-new.py & ala-new.yml: These are modified versions of the ones in the sigma repo, and are used by sigmac to create the KQL queries.
failed.csv: This contains a list of rules which either fail to convert properly, or use log sources which are not ingested/parsed. You should manually update this if you get an error for a new rule or just do not want to use the rule.
/override: This folder should contain your own modifications of the sigma rules. convert_rules.sh will check this folder and if it finds a rule it will use that instead of the one in the sigma repository. You can also use this folder for your own Sigma rules which are not part of the Sigma repository.