Skip to main content

rsigma_runtime/risk/
snapshot.rs

1//! Versioned persistence snapshot for the per-entity risk accumulator.
2//!
3//! Saved to the daemon's SQLite store on the periodic and shutdown hooks, beside
4//! the correlation and alert-pipeline snapshots, and restored on boot with
5//! window-aware pruning. A version mismatch starts fresh rather than erroring.
6
7use serde::{Deserialize, Serialize};
8
9use super::accumulator::Contribution;
10
11/// Snapshot format version. Bump on any breaking change to the layout below; a
12/// loaded snapshot whose version differs is discarded and the accumulator
13/// starts empty.
14pub const SNAPSHOT_VERSION: u32 = 1;
15
16/// A point-in-time capture of the whole accumulator.
17#[derive(Debug, Clone, Serialize, Deserialize)]
18pub struct RiskStateSnapshot {
19    /// Snapshot layout version.
20    pub version: u32,
21    /// One entry per tracked entity.
22    pub entities: Vec<EntitySnapshot>,
23}
24
25/// One tracked entity's window.
26#[derive(Debug, Clone, Serialize, Deserialize)]
27pub struct EntitySnapshot {
28    /// The risk-object type.
29    pub entity_type: String,
30    /// The entity value.
31    pub entity_value: String,
32    /// When this entity last fired an incident, if ever (unix seconds).
33    #[serde(skip_serializing_if = "Option::is_none", default)]
34    pub last_fired: Option<i64>,
35    /// When this entity was last seen (unix seconds).
36    pub last_seen: i64,
37    /// The retained window of contributions.
38    pub contributions: Vec<Contribution>,
39}