Draft a sigma detection YAML rule from a natural-language threat description.

Use when the caller needs a starting-point sigma rule and only has a plain-English threat summary plus optional MITRE TTP hints. Returns a structured envelope with the YAML body, a pySigma round-trip validation result, the inferred MITRE technique IDs, and draft notes covering redactions + open issues. Tool is deterministic and local -- no network, no LLM call.

Validate a sigma YAML rule for schema correctness, pySigma compatibility, and best-practices linting.

    Use when the caller has a sigma rule (drafted, pasted, or
    read from disk) and needs to know whether it is parseable, spec
    compliant, and free of common quality smells (empty references,
    missing falsepositives, missing MITRE tag, vague condition).
    ``target_backend`` is informational at this layer; the linter is
    backend-agnostic. ``strict=True`` promotes warnings into the
    error list.
    

Convert a sigma YAML rule into a SIEM-native query string.

Use when the caller has a validated sigma rule and needs the equivalent query for Splunk SPL, Elasticsearch / Kibana Lucene, or Wazuh. Returns the primary converted query plus conversion lossiness warnings (e.g. unsupported modifiers). Missing pySigma or missing backend packages return actionable error envelopes with the exact pip install command.