From f501bfa2f0d8e92bf582d5c86ce1c3d5c6962564 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 6 Aug 2024 11:38:38 +0200
Subject: [PATCH] Update sigmahq-title-convention.md

---
 sigmahq/sigmahq-title-convention.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/sigmahq/sigmahq-title-convention.md b/sigmahq/sigmahq-title-convention.md
index df8032f..0167791 100644
--- a/sigmahq/sigmahq-title-convention.md
+++ b/sigmahq/sigmahq-title-convention.md
@@ -69,25 +69,33 @@ Example:
 - "Renamed xxx Execution"
 - "UAC Bypass Using ..."
 
-Rules of level `informational` or `low` are not intended to be used to create alerts on their own. Their purpose is to conserve events or criteria of relevance, to be used in correlations or for ideas for threat hunting. A rule of those levels will by definition not create false positives as they should not be used for alerting.
+#### Informational / Low Level Rules
+
+Events matching rules of level `informational` or `low` are not intended to be used to create alerts on their own. Their purpose is to conserve events or criteria of relevance, to be used in correlations or for ideas for threat hunting. A rule of those levels will by definition not create false positives as they should not be used for alerting.
 
 The title should therefore be general and should not indicate that the rule describes suspicious or malicious behavior.
 
 Example : `Net.exe Execution`
 
-`medium` rules can have environment dependent false positives and require a tuning/evaluation phase before deploying to production environments.
+#### Medium Level Rules
+
+Events matching `medium` level rules rules can have environment dependent false positives and require a tuning/evaluation phase before deploying to production environments.
 
 Keywords used to indicate this:
 
 - "Potential "
 
-`high` rules requires a prompt review.
+#### High Level Rules
+
+Events matching `high` level rules requires a prompt review.
 
 Keywords used to indicate this:
 
 - "Suspicious "
 
-`critical` rules should be reviewed immediately
+#### Critical Level Rules
+
+Events matching `critical` level rules should be reviewed immediately
 The title must therefore be precise and indicate the specific threat.
 
 Keywords used to indicate this: