Skip to main content

rsigma_eval/
result.rs

1//! Match result types for rule evaluation.
2
3use rsigma_parser::Level;
4use serde::Serialize;
5
6/// The result of a rule matching an event.
7///
8/// Contains the matched rule metadata plus details about which
9/// selections and fields triggered the match.
10#[derive(Debug, Clone, Serialize)]
11pub struct MatchResult {
12    /// Title of the matched rule.
13    pub rule_title: String,
14    /// ID of the matched rule (if present).
15    pub rule_id: Option<String>,
16    /// Severity level.
17    pub level: Option<Level>,
18    /// Tags from the matched rule.
19    pub tags: Vec<String>,
20    /// Which named detections (selections) matched.
21    pub matched_selections: Vec<String>,
22    /// Specific field matches that triggered the detection.
23    pub matched_fields: Vec<FieldMatch>,
24    /// The full event that triggered the match, included when the
25    /// `rsigma.include_event` custom attribute is set to `"true"`.
26    #[serde(skip_serializing_if = "Option::is_none")]
27    pub event: Option<serde_json::Value>,
28}
29
30/// A specific field match within a detection.
31#[derive(Debug, Clone, Serialize)]
32pub struct FieldMatch {
33    /// The field name that matched.
34    pub field: String,
35    /// The event value that triggered the match.
36    pub value: serde_json::Value,
37}