Overview

We need to evaluate definitions.NON_DATASET_PACKAGES and determine if it is plausible to add auditd_manager to this. This would allow the related_integrations field to populate while removing the need for event.dataset in the query. We have done this before for other packages like network_traffic and endpoint (Elastic Defend).

This was brought to our attention via @Aegrah's meta task for tuning Linux rules in which his intentions are to maximize index pattern coverage for all Linux rules. Reference - #3428

In doing so, we should also add Data Source: Auditd Manager to definitions.py and for unit tests. Speaking of unit tests, we should also make adjustments where necessary with these changes.

We may have to revisit schemas and integration manifests for this to ensure we are still doing proper query field validation.