[SIEM] Detection Engine Create Rule Updates

[MichaelMarcialis]

Summary

During our discussions on how to handle users taking a signal into the timeline, a few changes to the existing create rule process were brought up. These changes will be documented here, as well as some additional items that caught my eye. I'm also including a quick mockup of these changes to function as a visual guide.

Design

Figma mockup

Action Items

• Remove the accordion arrows that appear before each step number.
• Don’t allow the user to collapse currently open step panels, unless they continue to next step or edit a previous step.
• Don’t allow more than one step panel to be open at a time.
• Circular step numbers/checks in each step panel should be colored blue when active or completed.
• It looks like we're currently using compressed EUI form fields. I'd prefer if we switch to the standard sized EUI form fields in this scenario.
• As the selection to use the SIEM advanced settings index pattern defaults isn't a permanent connection, the previously suggested use of a radio button to choose between default or custom makes less sense. Let's simplify it to use a restore defaults button/link, when it is detected that the user has altered the index patterns away from what is currently in SIEM advanced settings.
• Add option to import the query from a saved timeline.
• Add a color/health indicator to severity selector.
• Add ticks/stops to risk score slider.
• Add timeline template selector, which will allow the user to select an existing timeline to use as a template when opening a signal from this rule.
• Reorganize MITRE ATT&CK threat form layout so that it plays nicer when the technique fields grow taller than one line.
• Move and reword tags placeholder to bottom helper text.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[LeeDr]

Since we're past Feature Freeze on 7.6.0 you probably should bump the label on this issue to v7.7.0 (bug fixes on 7.6.0 can still be merged).