github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/category.go

github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/category.go (about)

     1  // Unless explicitly stated otherwise all files in this repository are licensed
     2  // under the Apache License Version 2.0.
     3  // This product includes software developed at Datadog (https://www.datadoghq.com/).
     4  // Copyright 2016-present Datadog, Inc.
     5  
     6  // Package model holds model related files
     7  package model
     8  
     9  import (
    10  	"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
    11  )
    12  
    13  // EventCategory category type
    14  type EventCategory = string
    15  
    16  // Event categories
    17  const (
    18  	// FIMCategory FIM events
    19  	FIMCategory EventCategory = "File Activity"
    20  	// ProcessCategory process events
    21  	ProcessCategory EventCategory = "Process Activity"
    22  	// KernelCategory Kernel events
    23  	KernelCategory EventCategory = "Kernel Activity"
    24  	// NetworkCategory network events
    25  	NetworkCategory EventCategory = "Network Activity"
    26  )
    27  
    28  // GetAllCategories returns all categories
    29  func GetAllCategories() []EventCategory {
    30  	return []EventCategory{
    31  		FIMCategory,
    32  		ProcessCategory,
    33  		KernelCategory,
    34  		NetworkCategory,
    35  	}
    36  }
    37  
    38  // GetEventTypeCategory returns the category for the given event type
    39  func GetEventTypeCategory(eventType eval.EventType) EventCategory {
    40  	switch eventType {
    41  	case "exec", "signal", "exit", "fork", "anomaly_detection_syscall":
    42  		return ProcessCategory
    43  	case "bpf", "selinux", "mmap", "mprotect", "ptrace", "load_module", "unload_module", "bind":
    44  		// TODO(will): "bind" is in this category because answering "NetworkCategory" would insert a network section in the serializer.
    45  		return KernelCategory
    46  	case "dns":
    47  		return NetworkCategory
    48  	}
    49  
    50  	return FIMCategory
    51  }
    52  
    53  // GetEventTypePerCategory returns the event types per category
    54  func GetEventTypePerCategory() map[EventCategory][]eval.EventType {
    55  	categories := make(map[EventCategory][]eval.EventType)
    56  
    57  	var eventTypes []eval.EventType
    58  	var exists bool
    59  
    60  	m := &Model{}
    61  	for _, eventType := range m.GetEventTypes() {
    62  		category := GetEventTypeCategory(eventType)
    63  
    64  		if eventTypes, exists = categories[category]; exists {
    65  			eventTypes = append(eventTypes, eventType)
    66  		} else {
    67  			eventTypes = []eval.EventType{eventType}
    68  		}
    69  		categories[category] = eventTypes
    70  	}
    71  
    72  	return categories
    73  }