Add rule catalog documentation

[stacknil]

Summary

• add docs/rule-catalog.md with fixed per-rule templates
• document rule name, input event types, grouping key, window, threshold, output subject, false-positive boundary, and why unsupported evidence is not counted
• clarify that the catalog is Sigma-informed but not a Sigma-compatible export format

Validation

• verified each rule includes the fixed template labels
• verified Sigma-informed disclaimer wording
• ran whitespace check on the new document
• ran privacy/sensitive-string scan on the new document
• confirmed PR diff only adds docs/rule-catalog.md

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9c11b88d53

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove unsupported claim that reports preserve sudo commands

For sudo-burst findings, the report artifacts only render the count/window/summary and do not include the raw Event::message or sudo COMMAND= value in Markdown, JSON, or CSV. In contexts where reviewers follow this catalog and expect the command text to be available in the report, this will misdirect triage unless they return to the original log, so the documentation should not claim that the command text is preserved there.

Useful? React with 👍 / 👎.