Skip to content

feat(eventsource): Smart filtering with approvers#676

Merged
rabbitstack merged 15 commits into
masterfrom
rule-approvers
Jun 8, 2026
Merged

feat(eventsource): Smart filtering with approvers#676
rabbitstack merged 15 commits into
masterfrom
rule-approvers

Conversation

@rabbitstack

@rabbitstack rabbitstack commented Jun 7, 2026

Copy link
Copy Markdown
Owner

What is the purpose of this PR / why it is needed?

CreateFile and RegOpenKey are among the most voluminous events in the system. We pay for the allocation cost because the raw event record is transformed into a typed Event structure. Additionally, there is also a processing penalty at the rule evaluation time.
With approvers, we can accept or reject events at the early stage of event processing, reducing both the pressure on the allocator and the rule engine as well.

What type of change does this PR introduce?

Uncomment one or more /kind <> lines:

/kind feature (non-breaking change which adds functionality)

/kind bug-fix (non-breaking change which fixes an issue)

/kind refactor (non-breaking change that restructures the code, while not changing the original functionality)

/kind breaking (fix or feature that would cause existing functionality to not work as expected

/kind cleanup

/kind improvement

/kind design

/kind documentation

/kind other (change that doesn't pertain to any of the above categories)

Any specific area of the project related to this PR?

Uncomment one or more /area <> lines:

/area instrumentation

/area telemetry

/area rule-engine

/area filters

/area yara

/area event

/area captures

/area alertsenders

/area outputs

/area rules

/area filaments

/area config

/area cli

/area tests

/area ci

/area build

/area docs

/area deps

/area evasion

/area other

Special notes for the reviewer

Does this PR introduce a user-facing change?

rabbitstack added 10 commits June 8, 2026 18:29
@rabbitstack
feat(eventsource): Smart event filtering with approvers
08f525c 
CreateFile and RegOpenKey are amongst most voluminous
events in the system. We pay for the allocation cost because the raw event record is transformed into typed Event structure. Additionally, there is also a processing penalty at the rule evaluation time.
With approvers we can accept or reject events at the early
stage of event processing, reducing both the pressure on the allocator and the rule engine as well.
@rabbitstack
refactor(processors): Remove IRP correlation logic from fs processor
e947516 
As the approvers are now responsible for this task, we can offload IRP correlation via FileOpEnd events and get the CreateFile event with the create disposition.
@rabbitstack
refactor(processors): Convert processor chain to structure
7cf8303
@rabbitstack
perf(processors): More efficient registry path concatenation
2c865c9
@rabbitstack
refactor(processors): Use fs dev mapper singleton
35197a7
@rabbitstack
new(eventsource): Dispatch events to approvers for final verdict
98b2410
@rabbitstack
refactor(event): Transform WaitEnqueue flag to padding
f79d5d4
@rabbitstack
refactor(event): Use fs dev mapper singleton in param resolution
9da39ce
@rabbitstack
refactor(event): Read disposition/status params directly from extende…
28611a8 
…d data items
@rabbitstack
refactor(evasion): Stop gating CreateFile with open disposition
086d45f 
With approvers many CreateFile events with OPEN disposition mask are rejected early. This allows us to
dispatch all CreateFile events to the evasion scanners
regardless of the file operation.
@rabbitstack
feat(rules_engine): Populate approver predicates
c9e499f 
At rule compilation time, the compiler traverses the
AST tree and attempts to find event types for which
approver predicates can be derived.
Most notably, file and registry paths, file extensions, file base names and process executable paths are all candidates for approver predicates.
@rabbitstack
refactor(fs): Convert fs dev mapper to singleton
5f35b49
@rabbitstack
refactor(handle): Use fs dev mapper singleton in file path resolution
fcc9952
@rabbitstack
feat(sys): Introduce synthethic extended item types
388a037 
The new fs approver keeps in-flight CreateFile event
records and attributes them to FileOpEnd events via
IRP link.
When the respective FileOpEnd event record arrives,
we extract the create disposition and the system status
attributes and attach them to the CreateFile event record
by pushing synthethic extended items to the event record.
@rabbitstack
perf(key): Use string builder for path concatenation
1a057ad 
By leveraging the string builder and establishing the
capacity of the underlying slice, we can reduce a few
unnecessary allocations per event.
@rabbitstack rabbitstack merged commit 5e83361 into master Jun 8, 2026
11 checks passed
@rabbitstack rabbitstack deleted the rule-approvers branch June 8, 2026 21:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rabbitstack