Improve SIEM rule deployment evidence

[wowsofine]

Pull Request Checklist

Please confirm the following before submitting:

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: ___)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (if adding a skill)

What This PR Does

[Brief description of the skill or change]

Framework References

[List the specific frameworks and control IDs cited in this skill]

Testing

[How was this skill tested? Which agent was used? What was the target?]

[wowsofine]

Bounty claim details

This PR updates skills/secops/siem-rules/SKILL.md and requests moderate improver bounty consideration ($100).

What changed

• Added SIEM-DEPLOY-01 through SIEM-DEPLOY-08 deployment evidence gates.
• Requires stable rule identity, owner, source-control reference, query hash/checksum, exported rule metadata, true-positive validation, false-positive review, alert delivery evidence, rollback readiness, and post-deployment monitoring.
• Added Microsoft Sentinel and Splunk Enterprise Security metadata checks.
• Expanded the output template with deployment target, owner, source control, and validation evidence rows.
• Added a pitfall for treating ad hoc search success as deployed-alert evidence.

Validation

• git diff --check
• frontmatter required-field check
• Markdown fence balance check
• prompt-injection pattern scan
• content marker check for SIEM-DEPLOY-01 through SIEM-DEPLOY-08

Bounty info

I have read and agree to the CONTRIBUTING.md bounty terms.
Preferred payment method: GitHub Sponsors / PayPal