What are you proposing?
We are proposing to improve the description text of the forms fields. We are updating some of the form UI components to make it easier for users to define rules.
What problems are you trying to solve?
Creating detection rules requires some knowledge of Sigma rules syntax. Some of the fields and sections might require additional descriptions and context.
What solution would you like?
Add descriptions for the form fields that might require additional context. Engage alternative UX patterns (tooltip for the short fields, external link to the documentation for more detailed explanations).
Field
UX Pattern recommendation
Description
Rule name
Description
A short capitalised title, e.g. "Uninstall Antivirus Software"
Rule description
Description
A description of what your rule is meant to detect, e.g. "Detects..."
Author
Description
One author or a list of authors.
Log type
Description
The product or type of data that the rule applies to
Rule level (severity)
Description
Severity level for this rule
Rule status
Description
Indicating the stage of rule development
Map
Description
A directory that contains pairs of keys and values
Key
OuiIconTip
A field or event name?
Modifier
OuiIconTip or external link
Value modifier is transforming value/list or convert them into regular expressions. Learn more.
contains
Description
puts * wildcards around the values, such that the value is matched anywhere in the field
all
Description
link values of a list with a logical AND
base64
Description
match the value encoded with Base64
endswith
Description
the value is expected at the end of the field's content (e.g. *\cmd.exe)
startswith
Description
the value is expected at the beginning of the field's content. (e.g. adm*)
cidr
Description
the value is a subnet in CIDR notation (e.g. 192.168.1.0/24) the IP address should belong to
Value
Description
Specific value of the fields the rule looks for.
List
Field description or external link
Multiple string-based search parameters
Tags
Description
Serve to categorize the rule by mapping to known cyber attack techniques.
References
Description
A list of all references that can help a reader or analyst understand the meaning of a triggered rule
False positives
Description
Describe possible false positive conditions to help the analysts in their investigation
Notes:
The "Authors" field should use OUI combo box with custom input and delimiter option.
We need to define the link to documentation for "Modifier" field.
UX Patterns examples
Built-in description for the form field/accordion can be used for adding the context and the expectations for the input.
OuiIconTip. This would work well for short input fields.
Providing external link. This is useful for longer pieces of content. No need to maintain the content in the product.
praveensameneni
commented
4 months ago
What are you proposing? We are proposing to improve the description text of the forms fields. We are updating some of the form UI components to make it easier for users to define rules.
What problems are you trying to solve? Creating detection rules requires some knowledge of Sigma rules syntax. Some of the fields and sections might require additional descriptions and context.
What solution would you like? Add descriptions for the form fields that might require additional context. Engage alternative UX patterns (tooltip for the short fields, external link to the documentation for more detailed explanations).
Notes:
UX Patterns examples