[Enhancement] `event.dataset` required for Auditd Manager integration rules
terrancedejesus opened this issue · comments
Overview
We need to evaluate definitions.NON_DATASET_PACKAGES
and determine if it is plausible to add auditd_manager
to this. This would allow the related_integrations
field to populate while removing the need for event.dataset
in the query. We have done this before for other packages like network_traffic
and endpoint
(Elastic Defend).
This was brought to our attention via @Aegrah's meta task for tuning Linux rules in which his intentions are to maximize index pattern coverage for all Linux rules. Reference - #3428
In doing so, we should also add Data Source: Auditd Manager
to definitions.py
and for unit tests. Speaking of unit tests, we should also make adjustments where necessary with these changes.
We may have to revisit schemas and integration manifests for this to ensure we are still doing proper query field validation.