[UX] Log type categories

[xeniatup]

Security Analytics plugin comes with a flat list of “Standard” log types that include about a dozen items. Starting from 2.10 release users can add Custom log types with unique names in the same list to be able to configure custom detection rules. Out of the box dashboards and detection rules are available for Standard (pre-packaged) log types.

Problem:

• With introducing new Standard log types (WAF, Crowdstrike) and any number of Custom log types users can define, we’re facing a problem of potentially large numbers of log types.
• User might not know what to search for in the flat unstructured list. There is no grouping of log types.
• The names of Custom (user-defined) log types might be not informative. High chances of almost identical names.
• [Create detector page] It is hard to figure out at a glance what types of application logs are supported.

Proposed solution: Built-in categories for log types

We propose to introduce categorization by grouping log types into logical buckets based on the type of service or application produced the log.
This should help with finding specific log types faster and more confidently in the experiences like “Create detector”. Selecting multiple log types of a similar origin will be simplified as they will be grouped together.
The categories will help to handle potential increase in the number of log types. Custom (user-defined) log types can be added to any of the categories.

The proposed category structure is described in this issue.

User Experience

Detectors pages

Detectors list page:

• Log type column in “Detectors” list page is updated with combined log type including a respective category:[Category: Log type]
• A log type filter is updated to allow for searching and selecting both log types and categories. See more below in “Correlations”.
  

Create detector page:

• The log type single select field shows log types grouped into categories.
• User can search for a log type.
• The categories headers are searchable to help navigate the list (requires customization)
  OUI: Single selection combo box with groups

Log types pages

Log types list:

• A new column for “Category” is added to the log types list view.
• A new filter for Category is added to the table. By default all categories are selected.

Create log type:

• A new select field is added to “Create log type page” to help identify the right category for a new custom log type. Each category is equipped by description.

OUI: Select field with super select dropdown.

Detection rules pages

Detection rules list:

• Log type column in “Detection rules” list view is updated with combined log type including a respective category:[Category: Log type]
• A log type filter is updated to allow for searching and selecting log types and categories. See more below in “Correlations”

Create detection rule:

• Similar to “Create detector” page, on “Create detection rule” page the “Log type” select field is updated to allow a single selection of a log type with added grouping of the options into categories within the dropdown menu.
• User can search for a log type.
• The categories headers are searchable to help navigate the list (requires customization)

OUI: Single selection combo box with groups

Correlations pages

Correlations (graph):
On the Correlations (graph) page the “Log type” search bar filter is updated as follows:

• Add "clearable" or "dismissible" prop that injects a (x) clear icon to clear out the filters.
• The drop down menu supports grouped log types.
• Introduce an option to allow the group label to select/unselect all children in a group
• Add Select all/Deselect all CTAs in the popover footer.

OUI: Selectable searchable + option.isGroupLabel is true, button group (for select/deselect all).

Note: the same filtering experience is added to the search bar on “Correlation rules” list page, “Findings” list page", and "Detection rules" list page.

Correlation rules:

• On the “Correlation rules” list page the “Log types” column is updated to show each log type with its respective category: [Category: Log type]
• The search bar filter for “Log type” is updated similar to “Correlations” [graph] filter experience (see above) to allow selecting log types and log categories.

Create correlation rule:

• Similar to “Create detector” and “Create detection rule” pages the “Log type” select field is updated for each of the queries on “Create correlation rule” page.
• User can search for a log type.
• The categories headers are searchable to help navigate the list (requires customization)

OUI: Single selection combo box with groups

Other pages

For other existing or potential views displaying log type in a table cell (like Overview page, Finding page, Finding details side panel) use the plain text [Category: Log type].