Enhance "Create detection rule" with field descriptions

[xeniatup]

What are you proposing?
We are proposing to improve the description text of the forms fields. We are updating some of the form UI components to make it easier for users to define rules.

What problems are you trying to solve?
Creating detection rules requires some knowledge of Sigma rules syntax. Some of the fields and sections might require additional descriptions and context.

What solution would you like?
Add descriptions for the form fields that might require additional context. Engage alternative UX patterns (tooltip for the short fields, external link to the documentation for more detailed explanations).

Field	UX Pattern recommendation	Description
Rule name	Description	A short capitalised title, e.g. "Uninstall Antivirus Software"
Rule description	Description	A description of what your rule is meant to detect, e.g. "Detects..."
Author	Description	One author or a list of authors.
Log type	Description	The product or type of data that the rule applies to
Rule level (severity)	Description	Severity level for this rule
Rule status	Description	Indicating the stage of rule development
Map	Description	A directory that contains pairs of keys and values
Key	OuiIconTip	A field or event name?
Modifier	OuiIconTip or external link	Value modifier is transforming value/list or convert them into regular expressions. Learn more.
contains	Description	puts * wildcards around the values, such that the value is matched anywhere in the field
all	Description	link values of a list with a logical AND
base64	Description	match the value encoded with Base64
endswith	Description	the value is expected at the end of the field's content (e.g. *\cmd.exe)
startswith	Description	the value is expected at the beginning of the field's content. (e.g. adm*)
cidr	Description	the value is a subnet in CIDR notation (e.g. 192.168.1.0/24) the IP address should belong to
Value	Description	Specific value of the fields the rule looks for.
List	Field description or external link	Multiple string-based search parameters
Tags	Description	Serve to categorize the rule by mapping to known cyber attack techniques.
References	Description	A list of all references that can help a reader or analyst understand the meaning of a triggered rule
False positives	Description	Describe possible false positive conditions to help the analysts in their investigation

Notes:

• The "Authors" field should use OUI combo box with custom input and delimiter option.
• We need to define the link to documentation for "Modifier" field.

UX Patterns examples

1. Built-in description for the form field/accordion can be used for adding the context and the expectations for the input.

2. OuiIconTip. This would work well for short input fields.

3. Providing external link. This is useful for longer pieces of content. No need to maintain the content in the product.

[praveensameneni]

Added to backlog