Monitor security events flow in LA

[brandubh]

We currently have a monitor for agents not sending data (generic) and for agents not heartbeating (Type:Heartbeat), but we don't have specific monitors for agents not returning specific datasets. The first that comes to mind is SecurityEvent but Perf is another good candidate.

Monitor implementation

Given a watching period (default 1 week) all the agents that have reported data from the input Types (comma separated param, default SecurityEvent missing Linux counterpart) in the last given hours (default 2 hours) must be reported on (Alert). Two monitors must be implemented per workspace with a cumulative alert reporting in the context the first 10 agents and per agent (it will work if single system discovery is enabled)

Caveats:

• with solution targeting there can be false positives for the choosen watching period.
• if an agent is dismissed or set out of scope the alert will continue to persist for the duration of the watching period

[brandubh]

Fixed with merge #18 and version 1705