[Security Solution][Discuss] Categorization & Description of Detection Rules

[rylnd]

In adding the new EQL Rule type, there was discussion about the distinctions between the Query type and the EQL type, and how we clarify those to the user. The goal of this issue is to clarify the behavior/use case of each rule type that we present to the user.

To quote from the aforementioned discussion:

I now interpret [the Query Rule Type] as "find the documents that match this boolean condition"

"Use KQL or Lucene to detect issues across indices." makes me think about cluster health ... [m]aybe "Use KQL or Lucene to alert when documents match a condition"

As a more direct prompt, I would say there are two questions being asked here:

1. Is each rule type distinct enough in behavior/use case to be presented as a separate Rule Type?
2. How do we best describe/document each rule type so as to minimize overlap and user confusion?

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[dontcallmesherryli]

Yes, we should separate out the rule types to help guide users to use the right rule type for their unique use cases. EQL is our solution to correlation detection, something that splunk is great at and we are in a gap competition wise.

In the "create new rule" page, it makes sense to single out Event Correlation Rule, as Marra's mocks reflect: