Dynamically add Data Needed to Customer by DR

[andurin]

I like the dynamic way how a detection rule is able to declare the data
needed part.
This change will extend the list of DN for a customer depending on the
detection rules which are applied to the customer.

[yugoslavskiy]

Hello @andurin!

This functionality looks pretty good, at the same time it interferes with the idea behind the Customer entity.
Let me explain in detail and provide you with a solution.

The idea behind the Customer entity

The Customer entity originally was created to track the deployment/implementation of Detection Rules.
For example, you have configured specific Logging Policies in one Customer's environment.
You can export the current state into elasticsearch index, and highlight what Data Needed you will get now (in Kibana).

Then you can put there Data Needed, and rebuild the es index, then highlight what Detection Rules you can deploy with this data. Then track implementation — what detection rules have been implemented, what detection rules could be implemented but haven't implemented yet.

So if we will automatically calculate Data Needed, that will break this idea.

The win-win solution

I think that many of our users could benefit from your idea.
What do you think about creating an extra option in the configuration file, that will enable the function you've developed?
Something like:

automatically_map_data_needed_to_detection_rules_in_customer_entity: True

This way people that would need this, would be able to enable it in the config and it will not interfere with the original idea (: