Speed up unexpected-bpf-users query by basing it on processes

2025-02-09 05:56:54 +00:00 · 2023-01-09 15:18:00 -05:00 · 2023-01-09 15:18:00 -05:00 · 4000bac9f9
commit 4000bac9f9
parent 420d269025
1 changed files with 5 additions and 3 deletions
--- a/detection/discovery/unexpected-bpf-user.sql
+++ b/detection/discovery/unexpected-bpf-user.sql
@ -23,14 +23,16 @@ SELECT
  pp.euid AS parent_euid,
  hash.sha256 AS child_sha256,
  phash.sha256 AS parent_sha256
+  -- Using processes is much faster than process_memory_map
 FROM
-  process_memory_map pmm
-  LEFT JOIN processes p ON pmm.pid = p.pid
+  processes p
+  LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
-  (
+  p.euid = 0
+  AND (
    lib_path LIKE '%:bpf%'
    OR lib_path LIKE '%libbpf%'
  )