1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
//! # rsigma-eval
//!
//! Evaluator for Sigma detection and correlation rules.
//!
//! This crate consumes the AST produced by [`rsigma_parser`] and evaluates it
//! against events in real time using a compile-then-evaluate model.
//!
//! ## Architecture
//!
//! - **Detection rules** (stateless): compiled once into optimized matchers,
//! each event is matched with zero allocation on the hot path.
//! - **Correlation rules** (stateful): time-windowed aggregation over detection
//! matches, supporting `event_count`, `value_count`, `temporal`,
//! `temporal_ordered`, `value_sum`, `value_avg`, `value_percentile`,
//! and `value_median`.
//!
//! ## Quick Start — Detection Only
//!
//! ```rust
//! use rsigma_parser::parse_sigma_yaml;
//! use rsigma_eval::Engine;
//! use rsigma_eval::event::JsonEvent;
//! use serde_json::json;
//!
//! let yaml = r#"
//! title: Detect Whoami
//! logsource:
//! product: windows
//! category: process_creation
//! detection:
//! selection:
//! CommandLine|contains: 'whoami'
//! condition: selection
//! level: medium
//! "#;
//!
//! let collection = parse_sigma_yaml(yaml).unwrap();
//! let mut engine = Engine::new();
//! engine.add_collection(&collection).unwrap();
//!
//! let event_val = json!({"CommandLine": "cmd /c whoami"});
//! let event = JsonEvent::borrow(&event_val);
//! let matches = engine.evaluate(&event);
//! assert_eq!(matches.len(), 1);
//! ```
//!
//! ## Quick Start — With Correlations
//!
//! ```rust
//! use rsigma_parser::parse_sigma_yaml;
//! use rsigma_eval::{CorrelationEngine, CorrelationConfig};
//! use rsigma_eval::event::JsonEvent;
//! use serde_json::json;
//!
//! let yaml = r#"
//! title: Login
//! id: login-rule
//! logsource:
//! category: auth
//! detection:
//! selection:
//! EventType: login
//! condition: selection
//! ---
//! title: Many Logins
//! correlation:
//! type: event_count
//! rules:
//! - login-rule
//! group-by:
//! - User
//! timespan: 60s
//! condition:
//! gte: 3
//! level: high
//! "#;
//!
//! let collection = parse_sigma_yaml(yaml).unwrap();
//! let mut engine = CorrelationEngine::new(CorrelationConfig::default());
//! engine.add_collection(&collection).unwrap();
//!
//! for i in 0..3 {
//! let v = json!({"EventType": "login", "User": "admin"});
//! let event = JsonEvent::borrow(&v);
//! let result = engine.process_event_at(&event, 1000 + i);
//! if i == 2 {
//! let correlations = result.iter().filter(|r| r.is_correlation()).count();
//! assert_eq!(correlations, 1);
//! }
//! }
//! ```
// Re-export the most commonly used types and functions at crate root
pub use ;
pub use ;
pub use ;
pub use Engine;
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;
pub use ;