From 4000bac9f920d16f07ae4abde8009ac09a56a9ce Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 9 Jan 2023 15:18:00 -0500
Subject: [PATCH] Speed up unexpected-bpf-users query by basing it on processes

---
 detection/discovery/unexpected-bpf-user.sql | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/detection/discovery/unexpected-bpf-user.sql b/detection/discovery/unexpected-bpf-user.sql
index 33a2c87..927e1c7 100644
--- a/detection/discovery/unexpected-bpf-user.sql
+++ b/detection/discovery/unexpected-bpf-user.sql
@@ -23,14 +23,16 @@ SELECT
   pp.euid AS parent_euid,
   hash.sha256 AS child_sha256,
   phash.sha256 AS parent_sha256
+  -- Using processes is much faster than process_memory_map
 FROM
-  process_memory_map pmm
-  LEFT JOIN processes p ON pmm.pid = p.pid
+  processes p
+  LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
-  (
+  p.euid = 0
+  AND (
     lib_path LIKE '%:bpf%'
     OR lib_path LIKE '%libbpf%'
   )