Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DRAFT] Add codesigning information to the ProcessInfoLight message #18

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

mlw
Copy link
Contributor

@mlw mlw commented Oct 5, 2024

This adds the CodeSignature message (proto) to the ProcessInfoLight message (proto).

Currently there are no good identifiers (except for path) when looking at a telemetry log to understand what the process might be. The CodeSignature message exists in the larger ProcessInfo message, but that is only used by EXEC and FAA events.

Pros: Adding the SID and TID will make processes more recognizable. The cdhash will also help make queries easier.
Cons: It does add overhead small overhead to event sizes. Also, while using cdhash to look for execs would be easier to get more information about a given process (e.g. the hash), you'd still need to run sub queries looking for pid/pidver and parent pid/pidver to find the exact EXEC for a process (e.g. to see args).

@mlw mlw added the telemetry Issues / PRs that change the telemetry output label Oct 5, 2024
@mlw mlw added this to the 2024.11 milestone Oct 5, 2024
@mlw mlw force-pushed the add-cs-info-to-processinfolight branch from 08a4315 to 1cd43b7 Compare October 15, 2024 02:23
@CLAassistant
Copy link

CLAassistant commented Oct 18, 2024

CLA assistant check
All committers have signed the CLA.

@pmarkowsky
Copy link
Contributor

@mlw any reason not to put this in 2025.1?

@mlw mlw removed this from the 2024.11 milestone Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
telemetry Issues / PRs that change the telemetry output
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants