diff --git a/README.md b/README.md
index 82f2ea4e9..816f9d41b 100644
--- a/README.md
+++ b/README.md
@@ -12,8 +12,10 @@ This repository was first announced on Elastic's blog post, [Elastic Security op
 ## Table of Contents
 - [Overview of this repository](#overview-of-this-repository)
 - [Getting started](#getting-started)
+- [Red Team Automation](rta)
 - [How to contribute](#how-to-contribute)
 - [Licensing](#licensing)
+- [Questions? Problems? Suggestions?](#questions-problems-suggestions)
 
 
 ## Overview of this repository
diff --git a/rta/README.md b/rta/README.md
new file mode 100644
index 000000000..f6608570f
--- /dev/null
+++ b/rta/README.md
@@ -0,0 +1,25 @@
+## Red Team Automation
+
+[![Supported Python versions](https://img.shields.io/badge/python-3.7+-yellow.svg)](https://www.python.org/downloads/)
+[![Chat](https://img.shields.io/badge/chat-%23security--detection--rules-blueviolet)](https://ela.st/slack)
+
+The repo comes with some red team automation ([RTA](./)) python scripts that run on Windows, Mac OS, and \*nix. 
+RTA scripts emulate known attacker behaviors and are an easy way too verify that your rules are active and working as expected.
+
+```console
+$   python -m rta -h
+usage: rta [-h] ttp_name
+
+positional arguments:
+  ttp_name
+
+optional arguments:
+  -h, --help  show this help message and exit
+```
+`ttp_name` can be found in the [rta](.) directory. For example to execute `./rta/wevtutil_log_clear.py` script, run command:
+
+```console
+$ python -m rta wevtutil_log_clear
+```
+
+Most of the RTA scripts contain a comment with the rule name, in `signal.rule.name`, that maps to the Kibana Detection Signals.
diff --git a/rta/certutil_file_obfuscation.py b/rta/certutil_file_obfuscation.py
index a0b16b249..84e7ccfd9 100644
--- a/rta/certutil_file_obfuscation.py
+++ b/rta/certutil_file_obfuscation.py
@@ -5,6 +5,7 @@
 # Name: Certutil Encode / Decode
 # RTA: certutil_file_obfuscation.py
 # ATT&CK: T1140
+# signal.rule.name: Encoding or Decoding Files via CertUtil
 # Description: Uses certutil to create an encoded copy of cmd.exe. Then uses certutil to decode that copy.
 
 import os
diff --git a/rta/delete_bootconf.py b/rta/delete_bootconf.py
index 77686d899..c68505027 100644
--- a/rta/delete_bootconf.py
+++ b/rta/delete_bootconf.py
@@ -5,6 +5,7 @@
 # Name: Boot Config Deletion With bcdedit
 # RTA: delete_bootconf.py
 # ATT&CK: T1107
+# signal.rule.name: Modification of Boot Configuration
 # Description: Uses bcdedit.exe to backup the current boot configuration, and then to delete the current boot
 #  configuration, finally restoring the original.
 
diff --git a/rta/delete_usnjrnl.py b/rta/delete_usnjrnl.py
index ab45b7f45..6b401ffb5 100644
--- a/rta/delete_usnjrnl.py
+++ b/rta/delete_usnjrnl.py
@@ -5,6 +5,7 @@
 # Name: USN Journal Deletion with fsutil.exe
 # RTA: delete_usnjrnl.py
 # ATT&CK: T1107
+# signal.rule.name: Delete Volume USN Journal with Fsutil
 # Description: Uses fsutil to delete the USN journal.
 
 import time
diff --git a/rta/delete_volume_shadows.py b/rta/delete_volume_shadows.py
index 8d39b65d5..85e27b825 100644
--- a/rta/delete_volume_shadows.py
+++ b/rta/delete_volume_shadows.py
@@ -4,6 +4,8 @@
 
 # Name: Volume Shadow Copy Deletion with vssadmin and wmic
 # RTA: delete_volume_shadow.py
+# signal.rule.name: Volume Shadow Copy Deletion via VssAdmin
+# ELastic Detection: Volume Shadow Copy Deletion via WMIC
 # ATT&CK: T1107
 # Description: Uses both vssadmin.exe and wmic.exe to delete volumne shadow copies.
 
diff --git a/rta/disable_windows_fw.py b/rta/disable_windows_fw.py
index 162d6214b..69765df82 100644
--- a/rta/disable_windows_fw.py
+++ b/rta/disable_windows_fw.py
@@ -5,6 +5,7 @@
 # Name: Disable Windows Firewall
 # RTA: disable_windows_fw.py
 # ATT&CK: T1089
+# signal.rule.name: Disable Windows Firewall Rules via Netsh
 # Description: Uses netsh.exe to backup, disable and restore firewall rules.
 
 import os
diff --git a/rta/installutil_network.py b/rta/installutil_network.py
index daf7c1751..36426b057 100644
--- a/rta/installutil_network.py
+++ b/rta/installutil_network.py
@@ -5,6 +5,8 @@
 # Name: Network Traffic from InstallUtil
 # RTA: installutil_network.py
 # ATT&CK: T1118
+# Elastic detection: InstallUtil Process Making Network Connections
+# Elastic detection: Unusual Network Activity from a Windows System Binary
 # Description: Uses mock .NET malware and InstallUtil to create network activity from InstallUtil.
 
 import os
diff --git a/rta/lateral_commands.py b/rta/lateral_commands.py
index fbbf201f7..6148bb356 100644
--- a/rta/lateral_commands.py
+++ b/rta/lateral_commands.py
@@ -4,6 +4,9 @@
 
 # Name: Lateral Movement Commands
 # RTA: lateral_commands.py
+# Elatic Detection: Local Service Commands
+# signal.rule.name: Local Scheduled Task Commands
+# signal.rule.name: Whoami Process Activity
 # ATT&CK: T1021, T1047, T1077, T1124, T1126
 # Description: Runs various Windows commands typically used by attackers to move laterally from the local machine.
 
diff --git a/rta/msbuild_network.py b/rta/msbuild_network.py
index fa97a885f..ff80e00b4 100644
--- a/rta/msbuild_network.py
+++ b/rta/msbuild_network.py
@@ -5,6 +5,8 @@
 # Name: MsBuild with Network Activity
 # RTA: msbuild_network.py
 # ATT&CK: T1127
+# signal.rule.name: Microsoft Build Engine Started an Unusual Process
+# signal.rule.name: Trusted Developer Application Usage
 # Description: Generates network traffic from msbuild.exe
 
 from . import common
diff --git a/rta/net_user_add.py b/rta/net_user_add.py
index a9d4124f3..12f57eede 100644
--- a/rta/net_user_add.py
+++ b/rta/net_user_add.py
@@ -5,6 +5,7 @@
 # Name: Create User with net.exe
 # RTA: net_user_add.py
 # ATT&CK: T1136
+# signal.rule.name: User Account Creation
 # Description: Adds an account to the local host using the net.exe command
 
 from . import common
diff --git a/rta/powershell_from_script.py b/rta/powershell_from_script.py
index 04a4ddfae..bfa4ac620 100644
--- a/rta/powershell_from_script.py
+++ b/rta/powershell_from_script.py
@@ -4,6 +4,7 @@
 
 # Name: PowerShell Launched from Script
 # RTA: powershell_from_script.py
+# signal.rule.name: Windows Script Executing PowerShell
 # ATT&CK: T1064, T1192, T1193
 # Description: Creates a javascript file that will launch powershell.
 
diff --git a/rta/process_name_masquerade.py b/rta/process_name_masquerade.py
index 6e6069852..4549bd981 100644
--- a/rta/process_name_masquerade.py
+++ b/rta/process_name_masquerade.py
@@ -4,6 +4,7 @@
 
 # Name: Windows Core Process Masquerade
 # RTA: process_name_masquerade.py
+# signal.rule.name: Unusual Parent-Child Relationship
 # ATT&CK: T1036
 # Description: Creates several processes which mimic core Windows process names but that are not those executables.
 
diff --git a/rta/registry_persistence_create.py b/rta/registry_persistence_create.py
index afca975a6..db9ea3bad 100644
--- a/rta/registry_persistence_create.py
+++ b/rta/registry_persistence_create.py
@@ -4,6 +4,8 @@
 
 # Name: Registry persistence creation
 # RTA: registry_persistence_create.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1015, T1103
 # Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services, NetSH and debuggers.
 
diff --git a/rta/registry_rdp_enable.py b/rta/registry_rdp_enable.py
index a7410205c..34f14447f 100644
--- a/rta/registry_rdp_enable.py
+++ b/rta/registry_rdp_enable.py
@@ -4,6 +4,7 @@
 
 # Name: Enable RDP Through Registry
 # RTA: registry_rdp_enable.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1076
 # Description: Identifies registry write modification to enable RDP access.
 
diff --git a/rta/rundll32_inf_callback.py b/rta/rundll32_inf_callback.py
index 03ee8929d..6a0a28bdf 100644
--- a/rta/rundll32_inf_callback.py
+++ b/rta/rundll32_inf_callback.py
@@ -4,6 +4,8 @@
 
 # Name: RunDll32 with .inf Callback
 # RTA: rundll32_inf_callback.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1105
 # Description: Loads RunDll32 with a suspicious .inf file that makes a local http GET
 
diff --git a/rta/rundll32_javascript_callback.py b/rta/rundll32_javascript_callback.py
index e30ff85e9..1b03be4ee 100644
--- a/rta/rundll32_javascript_callback.py
+++ b/rta/rundll32_javascript_callback.py
@@ -4,6 +4,8 @@
 
 # Name: RunDLL32 Javascript Callback
 # RTA: rundll32_javascript_callback.py
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Potential Modification of Accessibility Binaries
 # ATT&CK: T1085
 # Description: Executes javascript code with an AJAX call via RunDll32.exe
 
diff --git a/rta/schtask_escalation.py b/rta/schtask_escalation.py
index e999da911..0d7fb3e24 100644
--- a/rta/schtask_escalation.py
+++ b/rta/schtask_escalation.py
@@ -4,6 +4,10 @@
 
 # Name: Scheduled Task Privilege Escalation
 # RTA: schtask_escalation.py
+# signal.rule.name: Local Scheduled Task Commands
+# signal.rule.name: Whoami Process Activity
+# signal.rule.name: Svchost spawning Cmd
+# signal.rule.name: Net command via SYSTEM account
 # ATT&CK: T1053
 
 import os
diff --git a/rta/settingcontentms_files.py b/rta/settingcontentms_files.py
index 77a6dcf91..e037aa8b6 100644
--- a/rta/settingcontentms_files.py
+++ b/rta/settingcontentms_files.py
@@ -4,6 +4,8 @@
 
 # Name: Abusing SettingContent-ms Files
 # RTA: settingcontentms_files.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
+# signal.rule.name: Local Service Commands
 # ATT&CK: T1193, T1204, T1064
 # Description: SettingContent-ms file written to specific path or by risky process
 
diff --git a/rta/sticky_keys_write_execute.py b/rta/sticky_keys_write_execute.py
index 3ebb008e7..847928cb6 100644
--- a/rta/sticky_keys_write_execute.py
+++ b/rta/sticky_keys_write_execute.py
@@ -4,6 +4,9 @@
 
 # Name: Overwrite Accessibiity Binaries
 # RTA: sticky_keys_write_execute.py
+# signal.rule.name: Potential Modification of Accessibility Binaries
+# signal.rule.name: Local Service Commands
+# signal.rule.name: Persistence via TelemetryController Scheduled Task Hijack
 # ATT&CK: T1015
 # Description: Writes different binaries into various accessibility locations.
 
diff --git a/rta/suspicious_office_children.py b/rta/suspicious_office_children.py
index e2ff140fa..0aedecbe6 100644
--- a/rta/suspicious_office_children.py
+++ b/rta/suspicious_office_children.py
@@ -4,6 +4,7 @@
 
 # Name: Emulate Suspect MS Office Child Processes
 # RTA: suspect_office_children.py
+# signal.rule.name: Suspicious MS Office Child Process
 # ATT&CK: T1064
 # Description: Generates network traffic various children processes from emulated Office processes.
 
diff --git a/rta/suspicious_powershell_download.py b/rta/suspicious_powershell_download.py
index 54b9603f1..b5aae55f0 100644
--- a/rta/suspicious_powershell_download.py
+++ b/rta/suspicious_powershell_download.py
@@ -4,6 +4,7 @@
 
 # Name: Suspicious PowerShell Download
 # RTA: suspicious_powershell_download.py
+# signal.rule.name: Suspicious MS Office Child Process
 # ATT&CK: T1086
 # Description: PowerShell using DownloadString or DownloadFile in suspicious context
 
diff --git a/rta/suspicious_wscript_parent.py b/rta/suspicious_wscript_parent.py
index e1759ca8f..29684421d 100644
--- a/rta/suspicious_wscript_parent.py
+++ b/rta/suspicious_wscript_parent.py
@@ -4,6 +4,7 @@
 
 # Name: Suspicious WScript parent
 # RTA: suspicious_wscript_parent.py
+# signal.rule.name: Suspicious MS Outlook Child Process
 # ATT&CK: T1064, T1192, T1193
 # Description: WScript run with suspicious parent processes
 
diff --git a/rta/unusual_parent_child.py b/rta/unusual_parent_child.py
index 0b7f09d4f..e1a5fe6d1 100644
--- a/rta/unusual_parent_child.py
+++ b/rta/unusual_parent_child.py
@@ -4,6 +4,7 @@
 
 # Name: Invalid Process Trees in Windows
 # RTA: unusual_parent_child.py
+# signal.rule.name: Unusual Parent-Child Relationship
 # ATT&CK: T1093
 # Description: Runs several Windows core processes directly, instead of from the proper parent in Windows.
 
diff --git a/rta/werfault_persistence.py b/rta/werfault_persistence.py
index 51205d5a2..563a9934b 100644
--- a/rta/werfault_persistence.py
+++ b/rta/werfault_persistence.py
@@ -4,6 +4,7 @@
 
 # Name: WerFault.exe Persistence
 # RTA: werfault_persistence.py
+# signal.rule.name: Process Potentially Masquerading as WerFault
 # ATT&CK: T1112
 # Description: Sets an executable to run when WerFault is run with -rp flags and runs it
 
diff --git a/rta/wevtutil_log_clear.py b/rta/wevtutil_log_clear.py
index 1cbb04ad1..d1fbdf337 100644
--- a/rta/wevtutil_log_clear.py
+++ b/rta/wevtutil_log_clear.py
@@ -4,6 +4,7 @@
 
 # Name: Clearing Windows Event Logs
 # RTA: wevutil_log_clear.py
+# signal.rule.name: Clearing Windows Event Logs
 # ATT&CK: T1070
 # Description: Uses the native Windows Event utility to clear the Security, Application and System event logs.