briandelmsft
commented
2 months ago @piaudonn I'm interested in that option yes, I think we need to really think through all the possible use cases of it carefully as well as the schema of the table.
For use cases I think the workbook can give us that stats but also give us a nicer layout for the enrichments themselves as an alternate to incident comments which could be read out of the custom table.
Additionally, we could potentially have integrations with UEBA entity timeline, for example with the KQL module if it finds something, maybe that should show up on the users entity timeline? maybe other modules as well
Are there other things we could/should keep in mind when planning this?
As we had a workbook in STATv1 to keep track of what was there and gather stats, it would be nice to have that with STATv2. At least as an option deployment option. @briandelmsft we discussed the option to send logs to a custom table? Should we offer the option?