[CSM] Fix syscall based drift events #25704
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR improves how we generate drift events for syscalls past the initial activity dump learning period. Leveraging the same aggregation / conditional send logique, we're now leveraging the same event type for both the syscalls collection events during the activity dump learning period, and the syscall based drift events.
Motivation
This change is necessary to make syscall drift events work while ensuring we won't spam events because of poorly profiled workloads.
Additional Notes
Although the list of syscalls is collected and recorded in dumps per process, their evaluation is based on a flattened list that contains all the syscalls made across all processes.
Describe how to test/QA your changes
syscalls
and make sure a syscall anomaly detection event is sent: