Skip to content

chore: Fix RTA rule metadata#28

Merged
Mikaayenson merged 1 commit intomainfrom
fix-rta-rule-metadata
Jan 28, 2026
Merged

chore: Fix RTA rule metadata#28
Mikaayenson merged 1 commit intomainfrom
fix-rta-rule-metadata

Conversation

@Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Jan 28, 2026
edited
Loading

Summary

Removes placeholder/fake rule IDs from newly created RTAs and replaces them with real rule IDs where coverage exists.

Changes

RTAs - Rule Mapping Updates

RTA Real Rule ID Rule Name
account_discovery_domain 871ea072-1b71-4def-b016-6278b505138d Enumeration of Administrator Accounts
ssh_authorized_keys_modification 2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f SSH Authorized Keys File Activity
clear_linux_system_logs 7bcbb3ac-e533-41ad-a612-d6c3bf666aba Tampering of Shell Command-Line History

RTAs with No Detection Rule Coverage

These RTAs simulate MITRE techniques without 1:1 mitre mapping in our rules:

RTA Technique
defacement_internal T1491.001
user_execution_malicious_file T1204.002
user_execution_malicious_link T1204.001
exfil_to_cloud_storage T1567.002
valid_accounts_domain T1078.002

@Mikaayenson
Fix RTA rule metadata - remove fake rule IDs, add real ones
dfed96c 
Remove placeholder rule IDs that don't correspond to real detection rules.
Add real rule IDs where coverage exists:

- account_discovery_domain: Added real SIEM rule 871ea072 (Enumeration of Administrator Accounts)
- ssh_authorized_keys_modification: Added real SIEM rule 2215b8bd (SSH Authorized Keys File Activity)
- clear_linux_system_logs: Added real SIEM rule 7bcbb3ac (Tampering of Shell Command-Line History)

RTAs with no current detection rule coverage (empty rule lists):
- defacement_internal (T1491.001)
- user_execution_malicious_file (T1204.002)
- user_execution_malicious_link (T1204.001)
- exfil_to_cloud_storage (T1567.002)
- valid_accounts_domain (T1078.002)
@Mikaayenson Mikaayenson requested a review from a team as a code owner January 28, 2026 22:01
@Mikaayenson Mikaayenson changed the title Fix RTA rule metadata - remove fake rule IDs, add real ones chore: Fix RTA rule metadata Jan 28, 2026
@Mikaayenson Mikaayenson self-assigned this Jan 28, 2026
@Mikaayenson Mikaayenson added the bug Something isn't working label Jan 28, 2026
@Mikaayenson Mikaayenson merged commit ecd0095 into main Jan 28, 2026
6 checks passed
@Mikaayenson Mikaayenson deleted the fix-rta-rule-metadata branch January 28, 2026 22:30
@Mikaayenson Mikaayenson mentioned this pull request Jan 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Mikaayenson Mikaayenson

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mikaayenson