Struct Engine 

pub struct Engine { /* private fields */ }

The main rule evaluation engine.

Holds a set of compiled rules and provides methods to evaluate events against them. Supports optional logsource routing for performance.

Example

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{Engine, Event};
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Detect Whoami
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'whoami'
    condition: selection
level: medium
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();

let event_val = json!({"CommandLine": "cmd /c whoami"});
let event = JsonEvent::borrow(&event_val);
let matches = engine.evaluate(&event);
assert_eq!(matches.len(), 1);
assert_eq!(matches[0].rule_title, "Detect Whoami");

Implementations

impl Engine

pub fn new() -> Self

Create a new empty engine.

pub fn new_with_pipeline(pipeline: Pipeline) -> Self

Create a new engine with a pipeline.

pub fn set_include_event(&mut self, include: bool)

Set global include_event — when true, all match results include the full event JSON regardless of per-rule custom attributes.

pub fn add_pipeline(&mut self, pipeline: Pipeline)

Add a pipeline to the engine.

Pipelines are applied to rules during add_rule / add_collection. Only affects rules added after this call.

pub fn add_rule(&mut self, rule: &SigmaRule) -> Result<()>

Add a single parsed Sigma rule.

If pipelines are set, the rule is cloned and transformed before compilation. The inverted index is rebuilt after adding the rule.

pub fn add_collection(&mut self, collection: &SigmaCollection) -> Result<()>

Add all detection rules from a parsed collection, then apply filters.

Filter rules modify referenced detection rules by appending exclusion conditions. Correlation rules are handled by CorrelationEngine. The inverted index is rebuilt once after all rules and filters are loaded.

pub fn add_collection_with_pipelines( &mut self, collection: &SigmaCollection, pipelines: &[Pipeline], ) -> Result<()>

Add all detection rules from a collection, applying the given pipelines.

This is a convenience method that temporarily sets pipelines, adds the collection, then clears them. The inverted index is rebuilt once after all rules and filters are loaded.

pub fn apply_filter(&mut self, filter: &FilterRule) -> Result<()>

Apply a filter rule to all referenced detection rules and rebuild the index.

pub fn add_compiled_rule(&mut self, rule: CompiledRule)

Add a pre-compiled rule directly and rebuild the index.

pub fn evaluate<E: Event>(&self, event: &E) -> Vec<MatchResult>

Evaluate an event against candidate rules using the inverted index.

pub fn evaluate_with_logsource<E: Event>( &self, event: &E, event_logsource: &LogSource, ) -> Vec<MatchResult>

Evaluate an event against candidate rules matching the given logsource.

Uses the inverted index for candidate pre-filtering, then applies the logsource constraint. Only rules whose logsource is compatible with event_logsource are evaluated.

pub fn evaluate_batch<E: Event + Sync>( &self, events: &[&E], ) -> Vec<Vec<MatchResult>>

Evaluate a batch of events, returning per-event match results.

When the parallel feature is enabled, events are evaluated concurrently using rayon’s work-stealing thread pool. Otherwise, falls back to sequential evaluation.

pub fn rule_count(&self) -> usize

Number of rules loaded in the engine.

pub fn rules(&self) -> &[CompiledRule]

Access the compiled rules.

Trait Implementations

impl Default for Engine

fn default() -> Self

Returns the “default value” for a type.