ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

kallsyms · 2024-02-05T23:49:58Z

This PR:

Instantiates a process tree in SantaDeps, and threads it through to the enricher and proto serializer.
Adds a new SNTEndpointSecurityTreeAwareClient which clients subclass from to automatically have the tree updated before they run.
Adds a ProcessToken to the core Message type passed through Santa, which causes the tree to automatically "hold on" to process information, even after the process' exit event is received. This means the clients can get process information out of the tree at any point, even in (delayed) async processing.
Adds the basic configuration knobs to change which annotations are enabled (and if none are, disables the tree entirely).

N.B. Due to the last bullet above, while this code does technically begin to interact with event processing, the tree remains entirely disabled unless the config key is set.

…e are enabled

Source/common/SNTConfigurator.h

Source/santad/EventProviders/EndpointSecurity/EnrichedTypes.h

Source/santad/EventProviders/EndpointSecurity/Enricher.mm

Source/santad/EventProviders/EndpointSecurity/Enricher.h

Source/santad/EventProviders/EndpointSecurity/Message.h

Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.h

Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm

Source/santad/SantadDeps.mm

Source/santad/Logs/EndpointSecurity/Serializers/Protobuf.mm

Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm

Source/santad/EventProviders/SNTEndpointSecurityClient.mm

Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm

kallsyms added 10 commits February 20, 2024 14:12

process annotations: thread the tree through santa

81d6486

Update enricher to read annotations from the ProcessTree

66d1617

rebase changes

69a2c59

add configuration for annotations, disabling the tree entirely if non…

73df113

…e are enabled

lingering build dep

55dbb93

use tree factory constructor

6b57bf9

fix configurator

7cc7f58

build fixes

297d703

rebase fixes

158adb3

fix tests

9ead3a0

kallsyms force-pushed the pt-3 branch from 43e684f to 9ead3a0 Compare February 20, 2024 19:31

kallsyms marked this pull request as ready for review February 20, 2024 20:12

kallsyms requested a review from a team as a code owner February 20, 2024 20:12

mlw suggested changes Mar 6, 2024

View reviewed changes

kallsyms added 3 commits March 13, 2024 13:51

review comments

7b0a598

lint

e2a94b3

Merge remote-tracking branch 'upstream/main' into pt-3

267d8b4

mlw suggested changes Mar 13, 2024

View reviewed changes

Source/santad/EventProviders/SNTEndpointSecurityClient.mm Show resolved Hide resolved

Source/santad/EventProviders/SNTEndpointSecurityTreeAwareClient.mm Outdated Show resolved Hide resolved

kallsyms added 2 commits March 13, 2024 16:26

english hard

e85660e

record metrics even when event only used for process tree

8f59867

mlw approved these changes Mar 14, 2024

View reviewed changes

kallsyms merged commit 77d191a into google:main Mar 14, 2024
9 checks passed

kallsyms deleted the pt-3 branch March 14, 2024 15:32

mlw added this to the 2024.3 milestone Mar 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

kallsyms commented Feb 5, 2024

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

ProcessTree: integrate process tree throughout the event processing lifecycle (3/4) #1281

Conversation

kallsyms commented Feb 5, 2024