add process-name exclude prefilter options

[YakirOren]

Summary by CodeRabbit

• New Features
  • Added process and parent-process exclusion filters to pre-filters that require both process name and executable path to match (paths are normalized); exec events now include parent process context so filters can use it.
• Tests
  • Added/expanded tests covering parsing, normalization, invalid-entry handling, and runtime skip behavior for the new exclusion settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds parent-process context fields to exec events, extends extraction to populate them, updates prefilter to parse and match excludeProcesses/excludeParentProcesses maps (with path normalization and invalid-entry handling), changes ShouldSkip to accept event pointers and applies process/parent-process skip checks, and adds tests for these behaviors.

Changes

Cohort / File(s)	Summary
Event Schema & Accessors pkg/utils/events.go, pkg/utils/struct_event.go, pkg/utils/datasource_event.go	Add ParentExePath field and GetParentExePath() accessor; update ExecEvent interface to include GetParentExePath().
Prefilter Logic pkg/rulemanager/prefilter/prefilter.go	Add ExcludeProcesses and ExcludeParentProcesses maps; introduce buildProcessMap with path normalization and aggregated warnings; change ShouldSkip signature to accept *EventFields and add comm+exe and parent-comm+parent-exe matching checks.
Prefilter Tests & Call Sites pkg/rulemanager/prefilter/prefilter_test.go	Add tests for parsing exclude maps (normalization, invalid-entry dropping) and for ShouldSkip behavior including positive/negative cases; update tests/benchmarks to call ShouldSkip with *EventFields.
Rule Manager Integration pkg/rulemanager/rule_manager.go, pkg/rulemanager/extract_event_fields_test.go	Pass extracted eventFields by reference into prefilter; extend execve extraction to populate ParentExePath, Comm, and Pcomm; add unit test asserting these fields are extracted.

Sequence Diagram(s)

sequenceDiagram
    participant Datasource
    participant RuleManager
    participant Prefilter
    participant RuleEngine

    Datasource->>RuleManager: deliver event (execve)
    RuleManager->>RuleManager: extractEventFields -> populate Path, Comm, Pcomm, ParentExePath
    RuleManager->>Prefilter: ShouldSkip(&EventFields)
    Prefilter-->>Prefilter: normalize/lookup processKey in ExcludeProcesses / ExcludeParentProcesses
    Prefilter-->>RuleManager: return skip decision
    alt not skipped
        RuleManager->>RuleEngine: ReportEnrichedEvent (process event)
    else skipped
        RuleManager-->>Datasource: drop/ignore event
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

"I nibble logs beneath the moonlit patch,
I trace parent paths on every match,
Comm and Pcomm hop into sight,
Prefilters leap to skip or keep it right,
A rabbit's nod: the process map is stitched with care." 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding new process-name exclude prefilter options through the ExcludeProcesses and ExcludeParentProcesses maps.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/exclude-prefilter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.000	0.000	N/A
Peak CPU (cores)	0.000	0.000	N/A
Avg Memory (MiB)	0.000	0.000	N/A
Peak Memory (MiB)	0.000	0.000	N/A

Dedup Effectiveness

No data available.

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.155	0.000	-100.0%
Peak CPU (cores)	0.161	0.000	-100.0%
Avg Memory (MiB)	408.634	0.000	-100.0%
Peak Memory (MiB)	410.141	0.000	-100.0%

Dedup Effectiveness

No data available.

Event Counters

Metric	BEFORE	AFTER
capability_counter	11	0
dns_counter	1434	0
exec_counter	7172	0
network_counter	94347	0
open_counter	786269	0
syscall_counter	3629	0

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.153	0.154	+0.9%
Peak CPU (cores)	0.159	0.161	+1.4%
Avg Memory (MiB)	414.844	315.740	-23.9%
Peak Memory (MiB)	419.117	319.773	-23.7%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	1	0	0.0%
hardlink	6000	0	0.0%
http	1704	119456	98.6%
network	900	78000	98.9%
open	36158	619917	94.5%
symlink	6000	0	0.0%
syscall	985	1896	65.8%

Event Counters

Metric	BEFORE	AFTER
capability_counter	9	10
dns_counter	1395	1417
exec_counter	7070	7089
network_counter	92795	93238
open_counter	775068	777095
syscall_counter	3383	3605

[matthyx]

One suggestion on the prefilter parsing: normalize operator-supplied paths to match what the event layer produces, so subtle config mismatches (trailing slash, missing leading slash) don't silently fail to match.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/rulemanager/prefilter/prefilter.go (1)

73-75: Refresh the stale EventFields comment.

ShouldSkip now receives *EventFields, so “Passed by value” is no longer accurate.

Suggested comment update

 // EventFields holds event data extracted once per event for pre-filtering.
-// Passed by value, stack-allocated, extracted once before the rule loop and
-// reused across all rules.
+// Extracted once before the rule loop and passed by pointer to avoid per-rule
+// copies while being reused across all rules.
 type EventFields struct {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/rulemanager/prefilter/prefilter.go` around lines 73 - 75, The EventFields
struct comment is stale: it says "Passed by value" but ShouldSkip now takes
*EventFields; update the comment for EventFields to remove "Passed by value" and
instead state that EventFields is extracted once per event and passed by pointer
(e.g., to ShouldSkip) so it is reused across all rules and allocated on the
stack or heap as appropriate; reference EventFields and the ShouldSkip method in
the updated comment so readers know it is passed as *EventFields.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/rulemanager/prefilter/prefilter.go`:
- Around line 73-75: The EventFields struct comment is stale: it says "Passed by
value" but ShouldSkip now takes *EventFields; update the comment for EventFields
to remove "Passed by value" and instead state that EventFields is extracted once
per event and passed by pointer (e.g., to ShouldSkip) so it is reused across all
rules and allocated on the stack or heap as appropriate; reference EventFields
and the ShouldSkip method in the updated comment so readers know it is passed as
*EventFields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61eded93-330c-4f6b-860c-37d3185453df

📥 Commits

Reviewing files that changed from the base of the PR and between 900e72b and f9ff2a7.

📒 Files selected for processing (7)

• pkg/rulemanager/extract_event_fields_test.go
• pkg/rulemanager/prefilter/prefilter.go
• pkg/rulemanager/prefilter/prefilter_test.go
• pkg/rulemanager/rule_manager.go
• pkg/utils/datasource_event.go
• pkg/utils/events.go
• pkg/utils/struct_event.go

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.135	0.140	+4.0%
Peak CPU (cores)	0.147	0.151	+2.3%
Avg Memory (MiB)	404.360	265.422	-34.4%
Peak Memory (MiB)	416.266	273.105	-34.4%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	0	0	N/A
hardlink	6000	0	0.0%
http	1700	119461	98.6%
network	900	78000	98.9%
open	49029	621697	92.7%
symlink	6000	0	0.0%
syscall	978	1879	65.8%

Event Counters

Metric	BEFORE	AFTER
capability_counter	11	8
dns_counter	1428	1430
exec_counter	7146	7158
network_counter	93989	94164
open_counter	800078	802305
syscall_counter	3461	3439

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/rulemanager/prefilter/prefilter.go (1)

249-254: ⚠️ Potential issue | 🟡 Minor

Add nil guard for the e parameter in ShouldSkip.

Line 254 dereferences e without a nil check. Although all current call sites pass valid addresses, the function should defend against nil to prevent panics if callers change or in untrusted contexts.

 func (p *Params) ShouldSkip(e *EventFields) bool {
-	if p == nil {
+	if p == nil || e == nil {
 		return false
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/rulemanager/prefilter/prefilter.go` around lines 249 - 254, The
ShouldSkip method on Params dereferences e.Dir without guarding e; add a
nil-check for the EventFields parameter (e) at the start of Params.ShouldSkip
(after the existing p == nil guard) and return false if e == nil so you do not
dereference e when evaluating p.Dir != DirNone && e.Dir != DirNone && e.Dir !=
p.Dir; update any related comments if present.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/rulemanager/prefilter/prefilter.go`:
- Around line 74-75: The comment about value-copy is stale because ShouldSkip
now accepts *EventFields; update the comment in prefilter.go to reflect that
EventFields is passed by pointer (e.g., "Passed by pointer, extracted once
before the rule loop and reused across all rules") and ensure it mentions
*EventFields and the reuse pattern around ShouldSkip to avoid implying
stack-allocated value copies.

---

Outside diff comments:
In `@pkg/rulemanager/prefilter/prefilter.go`:
- Around line 249-254: The ShouldSkip method on Params dereferences e.Dir
without guarding e; add a nil-check for the EventFields parameter (e) at the
start of Params.ShouldSkip (after the existing p == nil guard) and return false
if e == nil so you do not dereference e when evaluating p.Dir != DirNone &&
e.Dir != DirNone && e.Dir != p.Dir; update any related comments if present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 496d4909-c9f2-4cf3-8212-7027fd137999

📥 Commits

Reviewing files that changed from the base of the PR and between f9ff2a7 and 66b0715.

📒 Files selected for processing (2)

• pkg/rulemanager/prefilter/prefilter.go
• pkg/rulemanager/prefilter/prefilter_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/rulemanager/prefilter/prefilter_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Update the stale value-copy comment.

ShouldSkip now takes *EventFields, so this comment contradicts the current API.

Proposed comment update

-// Passed by value, stack-allocated, extracted once before the rule loop and
-// reused across all rules.
+// Passed by pointer on the prefilter hot path to avoid copying; extracted once
+// before the rule loop and reused across all rules.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Passed by value, stack-allocated, extracted once before the rule loop and
	// reused across all rules.
	// Passed by pointer on the prefilter hot path to avoid copying; extracted once
	// before the rule loop and reused across all rules.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/rulemanager/prefilter/prefilter.go` around lines 74 - 75, The comment
about value-copy is stale because ShouldSkip now accepts *EventFields; update
the comment in prefilter.go to reflect that EventFields is passed by pointer
(e.g., "Passed by pointer, extracted once before the rule loop and reused across
all rules") and ensure it mentions *EventFields and the reuse pattern around
ShouldSkip to avoid implying stack-allocated value copies.

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.126	0.133	+5.2%
Peak CPU (cores)	0.131	0.143	+8.8%
Avg Memory (MiB)	401.863	268.267	-33.2%
Peak Memory (MiB)	408.004	279.445	-31.5%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	3	0	0.0%
hardlink	6000	0	0.0%
http	1767	119400	98.5%
network	901	78003	98.9%
open	50640	620504	92.5%
symlink	6000	0	0.0%
syscall	987	1883	65.6%

Event Counters

Metric	BEFORE	AFTER
capability_counter	10	10
dns_counter	1439	1445
exec_counter	7201	7232
network_counter	94687	95110
open_counter	806796	812095
syscall_counter	3630	3488

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.170	0.171	+0.7%
Peak CPU (cores)	0.174	0.175	+0.6%
Avg Memory (MiB)	311.118	258.492	-16.9%
Peak Memory (MiB)	315.141	262.613	-16.7%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	0	0	N/A
hardlink	6000	0	0.0%
http	1701	119461	98.6%
network	900	78001	98.9%
open	34620	621721	94.7%
symlink	6000	0	0.0%
syscall	981	1882	65.7%

Event Counters

Metric	BEFORE	AFTER
capability_counter	8	7
dns_counter	1422	1403
exec_counter	7112	7045
network_counter	93525	92582
open_counter	778401	770833
syscall_counter	3366	3347