*Requirements for this feature are found here: https://docs.google.com/document/d/1sR5jBQZtQTd1KjtoKTU7XhYEwBakvv95dOH1op4R7d8/edit?tab=t.0#heading=h.bcmrjlz7fh4w*

CUSTOMER PROBLEM

• As a customer in the financial sector, I need to pass PCI-DSS audit every year. One of the requirements is to have a File Integrity Monitoring tool for all critical files. As a customer the critical files mean to monitor a list of directories or files .
• In order to investigate when an unexpected modification happens, I rely on the following data to be provided:
• • The complete command that modified the file
  • Indicator whether the process is being modified via SSH connection. This is the field isRunningInADifferentMountNamespace than the host or sensor of reference. This is important because: it allows us to identify modifications made outside of expected OpenShift processes, like direct SSH connections, and helps filter out noise from administrative actions such as machine config pool changes, which would otherwise generate thousands of alerts.
  • Type of operation (read, write, modify, delete)
  • Which object is modified
  • User that made the modification (human or service account)
  • Name of the node where the modification happened
  • Timestamp
• As a customer with a LARGE cluster fleet, I need a single centralized alerting system for files monitored in my entire cluster fleet. 
• Because of the large size of my cluster fleet, it is very important that the tool is able to raise alerts when something suspicious is happening and not every day tasks.
• As a customer, I expect that that enabling the functionality affects performance in my clusters.
• As a customer, I expect that I can decide which clusters of my fleet have this functionality enabled.

Out of Scope: 

Customer only needs the alert details with relevant arguments for analysis, and do not require an additional historical event database for investigation beyond what's in the alert