-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Tuning] event.action and event.type change #3495
Conversation
@Aegrah I noticed you mentioned this is related to performance increases, but do we have benchmarks or testing to confirm these changes will increase performance? |
@terrancedejesus, this relates to our discussion while reviewing one of Ruben's PRs in EAH. Filtering for |
@terrancedejesus exactly what @w0rk3r said. We discussed whether we would remove the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🙇🏼♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml - rules/linux/discovery_esxi_software_via_find.toml - rules/linux/discovery_esxi_software_via_grep.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_process_capabilities.toml - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/collection_linux_suspicious_clipboard_activity.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml - rules/linux/discovery_esxi_software_via_find.toml - rules/linux/discovery_esxi_software_via_grep.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_process_capabilities.toml - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/collection_linux_suspicious_clipboard_activity.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_process_capabilities.toml - rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/collection_linux_suspicious_clipboard_activity.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/linux/discovery_process_capabilities.toml - rules/linux/privilege_escalation_enlightenment_window_manager.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml - rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml - rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml - rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml - rules_building_block/discovery_capnetraw_capability.toml - rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml (selectively cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 9f8638a)
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 9f8638a)
Summary
This PR changes the sequence of the
event.action
andevent.type
, to increase query performance.