I noticed that the new Rules and Rules Editor interface are now showing up as preview. I see that there are some slight improvements but I’m also concerned that we are going to lose some functionalities with the change.
Rules Editor:
- Current version automatically flags the overall status if the yara-l syntax is correct (✅) or if there is an error (❗)
- Current version allows for custom resizing of the left pane for the rules
- In the new version, this overall status does not change at all, it’s always a ✅ regardless if there is any error. I see that you are now able to hover over the specific section with the error, but I think the overall status flag should still appropriately reflect any syntax error
- The custom resizing is gone with the new version, it’s only either show or hide. I use this functionality a lot either when I want to see more from a rule test result or if I want to read the whole rule name
Rules
- Current version allows for sorting of pretty much any column
- Current version categorizes composite rule into its own rule type “Composite”
- New version does not allow for sorting of “Past 4 Weeks Activity”, “Today”, and “Last Detection”. This has been super useful to quickly sort and see overall alert volume and activity and to see this gone would be frustrating
- New version now categorizes composite rules as “Multi Event” instead of “Composite”
I hope these features can be re-considered prior to phasing out the current version. Is there any other channel or documentation to get more information what exact changes will be removed/added? As mentioned, I see that there is an effort for improvement, but it should not be at the cost of losing some other already useful features.
