rsigma-eval 0.7.0

Evaluator for Sigma detection and correlation rules — match rules against events
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

//! Match result types for rule evaluation.

use std::collections::HashMap;
use std::sync::Arc;

use rsigma_parser::Level;
use serde::Serialize;

/// The result of a rule matching an event.
///
/// Contains the matched rule metadata plus details about which
/// selections and fields triggered the match.
#[derive(Debug, Clone, Serialize)]
pub struct MatchResult {
    /// Title of the matched rule.
    pub rule_title: String,
    /// ID of the matched rule (if present).
    pub rule_id: Option<String>,
    /// Severity level.
    pub level: Option<Level>,
    /// Tags from the matched rule.
    pub tags: Vec<String>,
    /// Which named detections (selections) matched.
    pub matched_selections: Vec<String>,
    /// Specific field matches that triggered the detection.
    pub matched_fields: Vec<FieldMatch>,
    /// The full event that triggered the match, included when the
    /// `rsigma.include_event` custom attribute is set to `"true"`.
    #[serde(skip_serializing_if = "Option::is_none")]
    pub event: Option<serde_json::Value>,
    /// Custom attributes carried from the original Sigma rule.
    ///
    /// Contains the merged view of (a) arbitrary non-standard top-level keys,
    /// (b) the explicit `custom_attributes:` block, and (c) anything added by
    /// pipeline `SetCustomAttribute` transformations.
    /// Wrapped in `Arc` so that per-match cloning is a pointer bump.
    #[serde(skip_serializing_if = "HashMap::is_empty")]
    pub custom_attributes: Arc<HashMap<String, serde_json::Value>>,
}

/// A specific field match within a detection.
#[derive(Debug, Clone, Serialize)]
pub struct FieldMatch {
    /// The field name that matched.
    pub field: String,
    /// The event value that triggered the match.
    pub value: serde_json::Value,
}