Motivation
methodology/UseCases.md lists UC_006 (MDR/log ingestion), UC_007 (detection engineering), and UC_008 (behavioral analytics) as V1.0 use cases, but no schema objects connect a threat scenario to the telemetry, detection logic, and operational status that the SOC actually consumes. R155 also expects post-production monitoring evidence. Without this, RDX cannot drive a detection-engineering pipeline from TARA output.
Proposed change
Add a top-level monitoringAndDetection[]:
{
"id": "DET-001",
"title": "Detect repeated failed remote command authentication",
"relatedThreatScenarioIds": ["TS-REMOTE-COMMAND"],
"relatedAttackPathIds": ["AP-001"],
"requiredTelemetry": ["auth.failure.count", "source.ip", "vehicle.id"],
"detectionLogicRef": "sigma:...",
"detectionLogicFormat": "sigma" | "yara" | "ocsf-query" | "splunk-spl" | "kql" | "custom",
"platforms": ["vehicle-soc", "cloud-soc", "ecu-local"],
"status": "proposed" | "deployed" | "tuning" | "retired",
"lastValidatedAt": "...",
"owner": "..."
}
Add relationship types detects (DET → threatScenario/attackPath) and mitigatedBy for the AFR/risk re-evaluation loop. Update methodology to describe how an MDR consumer ingests RDX → detection ruleset.
References
Acceptance criteria
Surfaced by external AI peer review; see chat transcript for full review text.
Motivation
methodology/UseCases.mdlists UC_006 (MDR/log ingestion), UC_007 (detection engineering), and UC_008 (behavioral analytics) as V1.0 use cases, but no schema objects connect a threat scenario to the telemetry, detection logic, and operational status that the SOC actually consumes. R155 also expects post-production monitoring evidence. Without this, RDX cannot drive a detection-engineering pipeline from TARA output.Proposed change
Add a top-level
monitoringAndDetection[]:Add relationship types
detects(DET → threatScenario/attackPath) andmitigatedByfor the AFR/risk re-evaluation loop. Update methodology to describe how an MDR consumer ingests RDX → detection ruleset.References
methodology/UseCases.mdUC_006/UC_007/UC_008Acceptance criteria
monitoringAndDetection[]added to JSON Schema + XSDexamples/rdx-detection-engineering-example.jsonvalidates and links a Sigma rule to a threat scenariorelationshipsenum extended withdetectsmethodology/UseCases.mdupdated with the ingestion flowSurfaced by external AI peer review; see chat transcript for full review text.