Alert on rulesets that don't match source logs or have 0 hits after X time. #117
Description
Is your feature request related to a problem? Please describe.
In dynamic environments, we may initially load more rulesets than are required as to not accidentally miss any source applications you may not be aware of at the time of deployment.
Describe the solution you'd like
In the same manner as "dynamic.rules" which can enable/alert on rulesets that are currently disabled but should be enabled based on "PROGRAM" fields from source messages, could you create a process that would alert/disable a ruleset that has not seen a matching "PROGRAM" field in source logs for a specified amount of time. This would aid in ruleset tuning.
Describe alternatives you've considered
An alternative could be to alert/disable a ruleset if it has not triggered any events in a ruleset for a specified amount of time. This alternative would likely catch more events but would likely produce some false positives in smaller rulesets that don't trigger often.