[FR] Split RTA by OS & Implement Unit Tests for RTA Naming Convention #6
Description
Issue
When developing an RTA, it is often easiest to start with an RTA for a rule with a similar sequence of events and use that RTA as a template to write a new RTA for a new rule. With a growing set of RTA's, it becomes more and more of a pain to find the RTA that fits the new rule.
Feature Request
I would like to request two features that would help mitigate this pain:
1. Implement a directory structure by OS similar to endpoint rules and detection rules
Similar to detection-rules and endpoint-rules, it would be great to have the RTA's organized in four categories:
- windows
- macos
- linux
- cross-platform
This would make searching to find the correct RTA easier.
2. Implement a naming convention that is checked through unit tests to ensure RTA naming consistency.
It would be nice to make sure that all RTA's have a consistent naming scheme. I don't mind much what the scheme would look like. For consistency, I would propose having the RTA named the same as the endpoint or detection rule.
This would be a structure of [mitre_tactic]_[rule_name].py
This also makes it simple to find the rule that the RTA is written for.
Additional benefit of this change
Having this unit testing check, it also allows to decouple the RTA metadata name from the rule that it connects to, and just have it match on RTA filename and uuid.