yugoslavskiy
commented
3 years ago Hello @andurin!
This functionality looks pretty good, at the same time it interferes with the idea behind the Customer entity. Let me explain in detail and provide you with a solution.
The idea behind the Customer entity
The Customer entity originally was created to track the deployment/implementation of Detection Rules. For example, you have configured specific Logging Policies in one Customer's environment. You can export the current state into elasticsearch index, and highlight what Data Needed you will get now (in Kibana).
Then you can put there Data Needed, and rebuild the es index, then highlight what Detection Rules you can deploy with this data. Then track implementation — what detection rules have been implemented, what detection rules could be implemented but haven't implemented yet.
So if we will automatically calculate Data Needed, that will break this idea.
The win-win solution
I think that many of our users could benefit from your idea. What do you think about creating an extra option in the configuration file, that will enable the function you've developed? Something like:
automatically_map_data_needed_to_detection_rules_in_customer_entity: TrueThis way people that would need this, would be able to enable it in the config and it will not interfere with the original idea (:
I like the dynamic way how a detection rule is able to declare the data needed part. This change will extend the list of DN for a customer depending on the detection rules which are applied to the customer.