[CWS] optimize service resolution in event, and skip for activity dum…

…ps (DataDog#30784)
Melissa1181 · Nov 6, 2024 · 5b65150 · 5b65150
1 parent b72767a
commit 5b65150
Show file tree

Hide file tree

Showing 9 changed files with 48 additions and 41 deletions.
diff --git a/pkg/security/probe/field_handlers.go b/pkg/security/probe/field_handlers.go
@@ -43,7 +43,7 @@ func bestGuessServiceTag(serviceValues []string) string {
 }
 
 // getProcessService returns the service tag based on the process context
-func getProcessService(config *config.Config, entry *model.ProcessCacheEntry) string {
+func getProcessService(config *config.Config, entry *model.ProcessCacheEntry) (string, bool) {
 	var serviceValues []string
 
 	// first search in the process context itself
@@ -69,8 +69,30 @@ func getProcessService(config *config.Config, entry *model.ProcessCacheEntry) st
 	}
 
 	if service := bestGuessServiceTag(serviceValues); service != "" {
-		return service
+		return service, true
 	}
 
-	return config.RuntimeSecurity.HostServiceName
+	return config.RuntimeSecurity.HostServiceName, false
+}
+
+type pceResolver interface {
+	ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)
+}
+
+func resolveService(cfg *config.Config, fh pceResolver, ev *model.Event, e *model.BaseEvent) string {
+	if e.Service != "" {
+		return e.Service
+	}
+
+	entry, _ := fh.ResolveProcessCacheEntry(ev)
+	if entry == nil {
+		return ""
+	}
+
+	service, ok := getProcessService(cfg, entry)
+	if ok {
+		e.Service = service
+	}
+
+	return service
 }
diff --git a/pkg/security/probe/field_handlers_ebpf.go b/pkg/security/probe/field_handlers_ebpf.go
@@ -401,12 +401,8 @@ func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.Bas
 }
 
 // ResolveService returns the service tag based on the process context
-func (fh *EBPFFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string {
-	entry, _ := fh.ResolveProcessCacheEntry(ev)
-	if entry == nil {
-		return ""
-	}
-	return getProcessService(fh.config, entry)
+func (fh *EBPFFieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string {
+	return resolveService(fh.config, fh, ev, e)
 }
 
 // ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

diff --git a/pkg/security/probe/field_handlers_ebpfless.go b/pkg/security/probe/field_handlers_ebpfless.go
@@ -29,12 +29,8 @@ type EBPFLessFieldHandlers struct {
 }
 
 // ResolveService returns the service tag based on the process context
-func (fh *EBPFLessFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string {
-	entry, _ := fh.ResolveProcessCacheEntry(ev)
-	if entry == nil {
-		return ""
-	}
-	return getProcessService(fh.config, entry)
+func (fh *EBPFLessFieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string {
+	return resolveService(fh.config, fh, ev, e)
 }
 
 // ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

diff --git a/pkg/security/probe/field_handlers_windows.go b/pkg/security/probe/field_handlers_windows.go
@@ -79,21 +79,8 @@ func (fh *FieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.Proce
 }
 
 // ResolveService returns the service tag based on the process context
-func (fh *FieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string {
-	entry, _ := fh.ResolveProcessCacheEntry(ev)
-	if entry == nil {
-		return ""
-	}
-	return getProcessService(fh.config, entry)
-}
-
-// GetProcessService returns the service tag based on the process context
-func (fh *FieldHandlers) GetProcessService(ev *model.Event) string {
-	entry, _ := fh.ResolveProcessCacheEntry(ev)
-	if entry == nil {
-		return ""
-	}
-	return getProcessService(fh.config, entry)
+func (fh *FieldHandlers) ResolveService(ev *model.Event, e *model.BaseEvent) string {
+	return resolveService(fh.config, fh, ev, e)
 }
 
 // ResolveProcessCmdLineScrubbed returns a scrubbed version of the cmdline

diff --git a/pkg/security/secl/model/field_handlers_unix.go b/pkg/security/secl/model/field_handlers_unix.go
diff --git a/pkg/security/secl/model/field_handlers_windows.go b/pkg/security/secl/model/field_handlers_windows.go
diff --git a/pkg/security/secl/model/model.go b/pkg/security/secl/model/model.go
@@ -125,10 +125,10 @@ type BaseEvent struct {
 	Timestamp     time.Time      `field:"timestamp,opts:getters_only,handler:ResolveEventTime"`
 	Rules         []*MatchedRule `field:"-"`
 	ActionReports []ActionReport `field:"-"`
-	Os            string         `field:"event.os"`                               // SECLDoc[event.os] Definition:`Operating system of the event`
-	Origin        string         `field:"event.origin"`                           // SECLDoc[event.origin] Definition:`Origin of the event`
-	Service       string         `field:"event.service,handler:ResolveService"`   // SECLDoc[event.service] Definition:`Service associated with the event`
-	Hostname      string         `field:"event.hostname,handler:ResolveHostname"` // SECLDoc[event.hostname] Definition:`Hostname associated with the event`
+	Os            string         `field:"event.os"`                                          // SECLDoc[event.os] Definition:`Operating system of the event`
+	Origin        string         `field:"event.origin"`                                      // SECLDoc[event.origin] Definition:`Origin of the event`
+	Service       string         `field:"event.service,handler:ResolveService,opts:skip_ad"` // SECLDoc[event.service] Definition:`Service associated with the event`
+	Hostname      string         `field:"event.hostname,handler:ResolveHostname"`            // SECLDoc[event.hostname] Definition:`Hostname associated with the event`
 
 	// context shared with all events
 	ProcessContext         *ProcessContext        `field:"process"`

diff --git a/pkg/security/seclwin/model/field_handlers_win.go b/pkg/security/seclwin/model/field_handlers_win.go
diff --git a/pkg/security/seclwin/model/model.go b/pkg/security/seclwin/model/model.go