Add new Rules documentation that covers YAML Editor view (#2407)
* fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> * fix#2400-yaml-editor-rules Signed-off-by: cwillum <cwmmoore@amazon.com> Signed-off-by: cwillum <cwmmoore@amazon.com>
This commit is contained in:
parent
22bac5fd45
commit
e641a3bb0c
|
@ -14,10 +14,30 @@ The Rules window lists all security rules and provides options for filtering the
|
||||||
|
|
||||||
When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing **Return/Enter** on your keyboard. The list is filtered and displays matching results.
|
When you open the Rules page, all rules are listed in the table. Use the search bar to search for specific rules by entering a full or partial name and pressing **Return/Enter** on your keyboard. The list is filtered and displays matching results.
|
||||||
|
|
||||||
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown menus to drill down in the list of alerts and filter for preferred results. You can use all three menus in combination to narrow results. Select only one option per menu.
|
Alternatively, you can use the **Rule type**, **Rule severity**, and **Source** dropdown menus to drill down in the list of alerts and filter for preferred results. You can select multiple options from each menu and use all three menus in combination to narrow results.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-menu.png" alt="Rule menus for filtering results">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-menu.png" alt="Rule menus for filtering results">
|
||||||
|
|
||||||
|
### Rule details
|
||||||
|
|
||||||
To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.
|
To see rule details, select the rule in the Rule name column of the list. The rule details pane opens.
|
||||||
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/Rule_details.png" alt="The rule details pane" width="500">
|
||||||
|
|
||||||
|
In Visual view, rule details are arranged in fields, and the links are active. Select **YAML** to display the rule in YAML file format.
|
||||||
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule_detail_yaml.png" alt="The rule details pane in YAML file view" width="500">
|
||||||
|
* Rule details are formatted as a YAML file according to the Sigma rule specification.
|
||||||
|
* To copy the rule, select the copy icon in the top right corner of the rule. To quickly create a new and customized rule, you can paste the rule into the YAML editor and make any modifications before saving it. See [Customizing rules](#customizing-rules) for details.
|
||||||
|
|
||||||
|
## Creating rules
|
||||||
|
|
||||||
|
There are several ways to create rules on the Rules page. The first is to manually fill in the necessary fields that complete the rule, using either the Visual Editor or YAML Editor. To do this, select the **Create new rule** button in the uppper-right corner of the Rules window. The Create a rule window opens.
|
||||||
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/create-a-rule.png" alt="The Create a rule window, which includes the Visual Editor and YAML editor." width="500">
|
||||||
|
|
||||||
|
If you choose to create the rule manually, you can refer to Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) to help understand details for each field.
|
||||||
|
* By default, the Visual Editor is displayed. Enter the appropriate content in each field and select **Create** in the lower-right corner of the window to save the rule.
|
||||||
|
* The Create a rule window also provides the YAML Editor so that you can create the rule directly in a YAML file format. Select **YAML Editor** and then enter information for the pre-populated field types.
|
||||||
|
|
||||||
|
The alternatives to manually creating a rule, however, simplify and speed up the process. They involve either importing a rule in a YAML file or duplicating an existing rule and customizing it. See the next two sections for detailed steps.
|
||||||
|
|
||||||
|
|
||||||
## Importing rules
|
## Importing rules
|
||||||
|
|
||||||
|
@ -57,7 +77,7 @@ status: experimental
|
||||||
```
|
```
|
||||||
|
|
||||||
1. To begin, select the **Import rule** button in the upper-right corner of the page. The Import rule page opens.
|
1. To begin, select the **Import rule** button in the upper-right corner of the page. The Import rule page opens.
|
||||||
1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated.
|
1. Either drag a YAML-formatted Sigma rule into the window or browse for the file by selecting the link and opening it. The Import a rule window opens and the rule definition fields are automatically populated in both the Visual Editor and YAML Editor.
|
||||||
1. Verify or modify the information in the fields.
|
1. Verify or modify the information in the fields.
|
||||||
1. After you confirm the information for the rule is accurate, select the **Create** button in the lower-right corner of the window. A new rule is created, and it appears in the list of rules on the main page of the Rules window.
|
1. After you confirm the information for the rule is accurate, select the **Create** button in the lower-right corner of the window. A new rule is created, and it appears in the list of rules on the main page of the Rules window.
|
||||||
|
|
||||||
|
@ -67,10 +87,10 @@ An alternative to importing a rule is duplicating a Sigma rule and then modifyin
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rules-dup1.png" alt="Selecting a rule in the Rules name list">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/rules-dup1.png" alt="Selecting a rule in the Rules name list">
|
||||||
|
|
||||||
1. To begin, select the rule in the Rule name column. The rule details pane opens.
|
1. To begin, select the rule in the Rule name column. The rule details pane opens.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="400">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup2.png" alt="Opening the rule details pane" width="500">
|
||||||
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens and all of the fields are automatically populated with the rule's details.
|
1. Select the **Duplicate** button in the upper-right corner of the pane. The Duplicate rule window opens in Visual Editor view and all of the fields are automatically populated with the rule's details. Details are also populated in YAML Editor view.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/rule-dup3.png" alt="Selecting the duplicate button" width="400">
|
<br><img src="{{site.url}}{{site.baseurl}}/images/Security/dupe-rule.png" alt="Selecting the duplicate button opens the Duplicate rule window" width="500">
|
||||||
1. Modify any of the fields to customize the rule.
|
1. In either Visual Editor view or YAML Editor view, modify any of the fields to customize the rule.
|
||||||
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.
|
1. After performing any modifications to the rule, select the **Create** button in the lower-right corner of the window. A new and customized rule is created, and it appears in the list of rules on the main page of the Rules window.
|
||||||
<img src="{{site.url}}{{site.baseurl}}/images/Security/custom-rule.png" alt="The custom rule now appears in the list of rules.">
|
<img src="{{site.url}}{{site.baseurl}}/images/Security/custom-rule.png" alt="The custom rule now appears in the list of rules.">
|
||||||
|
|
||||||
|
|
Binary file not shown.
After Width: | Height: | Size: 92 KiB |
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
Binary file not shown.
After Width: | Height: | Size: 117 KiB |
Binary file not shown.
After Width: | Height: | Size: 29 KiB |
Loading…
Reference in New Issue