Skip to content

refactor(filter)!: Decommission ps.child.* filter fields #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rabbitstack wants to merge 3 commits into
base: master
Choose a base branch
from
Open

refactor(filter)!: Decommission ps.child.* filter fields #551

rabbitstack wants to merge 3 commits into from
+412 −608

Conversation

@rabbitstack
Copy link
Owner

@rabbitstack rabbitstack commented Dec 31, 2025

What is the purpose of this PR / why it is needed?

ps.child.* fields have been a constant source of pain and confusion for both detection engineers and Fibratus maintainers. The whole point of having these fields was to designate the child process that was spawned as part of the CreateProcess event. So, the process state of the CreateProcess event would always reflect the parent, instead of the child being created.

This PR transitions from parent to child process state attribution in the CreateProcess event. The equivalent of ps.child.name is now the ps.name field, and the actual parent is yielded by respective ps.parent. fields. The consequence of this change is a small breaking change in detection rules, which are addressed as part of this same PR.

In general, not only do rules become more readable and intuitive, but also the code base is considerably reduced as it is no longer necessary to introduce the ps.child.* field for any new parameter or attribute that we expose through the rule language.

What type of change does this PR introduce?

Uncomment one or more /kind <> lines:

/kind feature (non-breaking change which adds functionality)

/kind bug-fix (non-breaking change which fixes an issue)

/kind refactor (non-breaking change that restructures the code, while not changing the original functionality)

/kind breaking (fix or feature that would cause existing functionality to not work as expected

/kind cleanup

/kind improvement

/kind design

/kind documentation

/kind other (change that doesn't pertain to any of the above categories)

Any specific area of the project related to this PR?

Uncomment one or more /area <> lines:

/area instrumentation

/area telemetry

/area rule-engine

/area filters

/area yara

/area event

/area captures

/area alertsenders

/area outputs

/area rules

/area filaments

/area config

/area cli

/area tests

/area ci

/area build

/area docs

/area deps

/area evasion

/area other

Special notes for the reviewer

Does this PR introduce a user-facing change?

@rabbitstack rabbitstack force-pushed the decommission-ps-child-filter-fields branch from 18a3bce to 2a35165 Compare January 1, 2026 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabbitstack