intelmq-manager user-experience wish list

[aaronkaplan]

Based on feedback from demoing intelmq-manager to people, I got a good feeling of the user-experience which folks expect:

• it is non-intuitive that you have to press "Save" in the Configuration tab. When you switch tabs (away from Configuration to for example Management tab) it is not clear that all the changes in the Configuration tab will be lost! It is important to show a warning box here.
• Drag & Droping of lines between bots is not intuitive.
• The process "Edit" -> "Add node" -> Click on empty part of the screen -> Click on the Category -> Click on the bot you want to have - is not intuitive. You need to know that process otherwise it's not clear.
  Let's have an easier way to do it. For example drag & drop from the menu of bots?
• People seem to expect that if they once laid out a botnet graph the way they want it to be seen, then when they switch tabs and come back, that it looks the same again (or when they save and close the page and come back later again). However, the layout changes always. This is confusing because people then have to search where each bot is.

[MAHDTech]

I agree with those points, and I also have a few additional points from a first time experience using IntelMQ-Manager.

• The order of the "Collector, Expert, Output, Parser" is alphabetical. Would it not be more intuitive to be in the order of operation, perhaps:

1. Collector
2. Parser
3. Expert
4. Output

This makes the building of a botnet follows a logical flow

• As mentioned, the current web interface error messages are not intuitive and I currently find myself constantly tailing apache logs for further info.
• When I first used the interface it drove me mad trying to get the icons represented in a way I was happy with and locked into place, an option to disable the automatic adjustment would be great
• What about multiple tabs for bot configuration? In my small usecase example I have two independant bot configurations, what about the ability to add multiple tabs within configuration, perhaps just above the "Edit" button. Rather than needing to zoom out making the names unreadable.
• Dashboarding (Realtime updates/counters) -> longer term I would love to be able to display IntelMQ as a SOC dashboard, it would be cool to see updates of when a bot is processing, such as a colour change of the link line to "red" and a small queue counter represented next to the bot in question indicating stats like "error count" "queue count" and so forth. Not a high priority, but would be pretty sexy :)

Thoughts?

[sebix]

The order of the "Collector, Expert, Output, Parser" is alphabetical. Would it not be more intuitive to be in the order of operation, perhaps:

Currently, the manager does not care about order, it just takes the BOTS-file directly.

I'm sure I understand what you mean with the tabs.

For the counters, we had this idea too, not sure where the issue is...

[MAHDTech]

Do you mean your not sure what you mean with the tabs?

To elaborate, let's say I wanted to create two independent botnets

1. Botnet A - Downloads from a few sources, enriches and outputs to a DB for consumption by a SIEM
2. Botnet B - Downloads from completely different sources, ones which you don't want to combine, for example a MISP instance, then it outputs to something else.

These are meant to be unrelated, and therefore the configuration would look better if it was visualized on separate tabs, rather than having to zoom out and be unable to view the configuration names on screen.

Although the concept of multiple botnets wouldn't presently be possible if you can only run one of each bot at a time, so it's a moot point.

[swilde]

To illustrate the fundamental problems with the current graph display of the configuration I'm attaching a screen shot from an actual production setup, which is considered the first, limited and fairly simple setup:

As you can see the configuration already looks confusing, and it is almost impossible to arrange the bots in a meaningful way (which wouldn't help anyway as the arrangement can not be saved).

I'd which for an way to disable the automatic graph rearranging, manually arrange the bots, maybe assisted by a "magnetic" grid, and then save the result.

[swilde]

A more advance feature I would like to see would be the possibility to group bots, and have an overview mode in which these groups are combined to an (nameable) "meta bot".

Having saveable, parametrized bot-groups which can then be reused as building-blocks would be even more great...

[ghost]

@aaronkaplan

it is non-intuitive that you have to press "Save" in the Configuration tab. When you switch tabs (away from Configuration to for example Management tab) it is not clear that all the changes in the Configuration tab will be lost! It is important to show a warning box here.

done

Drag & Droping of lines between bots is not intuitive.

how would it be intuitive?

The process "Edit" -> "Add node" -> Click on empty part of the screen -> Click on the Category -> Click on the bot you want to have - is not intuitive. You need to know that process otherwise it's not clear.

for drag and drop: #105

People seem to expect that if they once laid out a botnet graph the way they want it to be seen, then when they switch tabs and come back, that it looks the same again (or when they save and close the page and come back later again). However, the layout changes always. This is confusing because people then have to search where each bot is.

#117

[ghost]

@MAHDTech

The order of the "Collector, Expert, Output, Parser" is alphabetical. Would it not be more intuitive to be in the order of operation, perhaps:

has been fixed in intelmq

As mentioned, the current web interface error messages are not intuitive and I currently find myself constantly tailing apache logs for further info.

see #69

What about multiple tabs for bot configuration? In my small usecase example I have two independant bot configurations, what about the ability to add multiple tabs within configuration, perhaps just above the "Edit" button. Rather than needing to zoom out making the names unreadable.

Puh, not sure if someone actually has time to implement this.

Dashboarding (Realtime updates/counters) -> longer term I would love to be able to display IntelMQ as a SOC dashboard, it would be cool to see updates of when a bot is processing, such as a colour change of the link line to "red" and a small queue counter represented next to the bot in question indicating stats like "error count" "queue count" and so forth. Not a high priority, but would be pretty sexy :)

see certtools/intelmq#361

@swilde

As you can see the configuration already looks confusing, and it is almost impossible to arrange the bots in a meaningful way (which wouldn't help anyway as the arrangement can not be saved).
I'd which for an way to disable the automatic graph rearranging, manually arrange the bots, maybe assisted by a "magnetic" grid, and then save the result.

current master can save the positions. The automatic rearrangement is now less aggressive.

I will split all the remaining wishes into single issues so we can close this meta-issue.

[ghost]

created #141 for the grouping feature.

closing this as everything else is done.