rsigma-eval 0.12.0

Evaluator for Sigma detection and correlation rules — match rules against events
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

#![allow(dead_code)]

use rsigma_eval::{
    CorrelationConfig, CorrelationEngine, Engine, JsonEvent, MatchResult, ProcessResult,
};
use rsigma_parser::parse_sigma_yaml;
use serde_json::Value;

pub fn eval(yaml: &str, event_json: Value) -> Vec<MatchResult> {
    let collection = parse_sigma_yaml(yaml).unwrap();
    let mut engine = Engine::new();
    engine.add_collection(&collection).unwrap();
    let event = JsonEvent::borrow(&event_json);
    engine.evaluate(&event)
}

pub fn corr_engine(yaml: &str) -> CorrelationEngine {
    corr_engine_with_config(yaml, CorrelationConfig::default())
}

pub fn corr_engine_with_config(yaml: &str, config: CorrelationConfig) -> CorrelationEngine {
    let collection = parse_sigma_yaml(yaml).unwrap();
    let mut engine = CorrelationEngine::new(config);
    engine.add_collection(&collection).unwrap();
    engine
}

pub fn process(engine: &mut CorrelationEngine, event_json: Value, ts: i64) -> ProcessResult {
    let event = JsonEvent::borrow(&event_json);
    engine.process_event_at(&event, ts)
}