Struct tau_engine::Rule[][src]

pub struct Rule {
    pub detection: Detection,
    pub true_positives: Vec<Yaml>,
    pub true_negatives: Vec<Yaml>,
}
Expand description

A rule used by the solver to evaluate a Document.

A rule contains the detection logic, along with the true positive and negative tests. The inclusion of these basic test allows for a basic level of verification to be ensured.

Rules are written in YAML and have a simple but powerful syntax.

Syntax

There are two parts to a rule’s logic: the condition & the identifiers.

Condition

The condition is the main expression and describes the top level logic for the rule. It can be comprised of the following:

Expression Description
_ and _ The logical conjunction of two operands, where the operands are any of the following:
  • expression: a nested expression.
  • identifier: a key that matches an identifier in the detection block.
_ or _ The logical disjunction of two operands, where the operands are any of the following:
  • expression: a nested expression.
  • identifier: a key that matches an identifier in the detection block.
_ == _ The equality comparison of two operands, where the operands are any of the following:
  • integer: an integer.
  • string: a string.
  • int(field): a field that should be cast as an integer.
  • str(field): a field that should be cast as a string.
_ > _ The greater than comparison of two operands, where the operands are any of the following:
  • integer: an integer.
  • int(field): a field that should be cast as an integer.
_ >= _ The greater than or equal comparison of two operands, where the operands are any of the following:
  • integer: an integer.
  • int(field): a field that should be cast as an integer.
_ < _ The less than comparison of two operands, where the operands are any of the following:
  • integer: an integer.
  • int(field): a field that should be cast as an integer.
_ <= _ The less than or equal comparison of two operands, where the operands are any of the following:
  • integer: an integer.
  • int(field): a field that should be cast as an integer.
all(i) An identifier mutator that evaluates to true only if all conditions for identifier i match.
not _ Negate the result of an expression. NOTE: This will only negate a result that is true or false, it will noop if the result is missing.
of(i, x) An identifier mutator that evaluates to true only if a minimum of x conditions for identifier i match.

Identifiers

Identifiers are used to describe the matching logic for the values contained within documents. These are then collected by the condition in order to create a rule that can be used to tag a document.

Due to the nature of an identifier, they are essentially just variations on key/value pairs. The following variations are supported, where mappings are treated as conjunctions and sequences are treated as disjunctions:

IDENTIFIER:
    KEY: MATCH

IDENTIFIER:
    KEY:
    - MATCH_0
    - MATCH_1

IDENTIFIER:
    - KEY: MATCH

IDENTIFIER:
    KEY:
        KEY: MATCH

Identifiers are unique keys that can be referenced in the condition.

Keys are used to get the values from documents. Keys can be wrapped in the following modifiers:

Expression Description
all(k) A key mutator that evaluates to true only if all matches for keys k match.
of(k, x) A key mutator that evaluates to true only if a minimum of x matches for key k match.

Matches are the expressions which are evaluated against values returned by keys. They support the following syntax:

Expression Description
foo An exact match
foo* Starts with
*foo Ends with
*foo* Contains
?foo Regex
i_ A prefix to convert the match into a case insensitive match.

To escape any of the above in order to achieve literal string matching, combinations of ' and " can be used.

Examples

Here is a very simple rule example:

detection:
  A:
    foo: "foo*"
    bar: "*bar"
  B:
    foobar:
    - foobar
    - foobaz

  condition: A and B

true_positives:
- foo: foobar
  bar: foobar
  foobar: foobar

true_negatives:
- foo: bar
  bar: foo
  foobar: barfoo

Here is a slightly more complex rule example:

detection:
  A:
    all(phrase):
    - "*quick*"
    - "*brown*"
  B:
    phrase: ibear

  condition: A and not B

true_positives:
- phrase: the quick brown fox

true_negatives:
- foo: the quick brown BEAR

Fields

detection: Detectiontrue_positives: Vec<Yaml>true_negatives: Vec<Yaml>

Implementations

Load a rule from a YAML string.

Evaluates the rule against the provided Document, returning true if it has matched.

Validates the rule’s detection logic against the provided true positives and negatives.

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Formats the value using the given formatter. Read more

Deserialize this value from the given Serde deserializer. Read more

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Performs the conversion.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

🔬 This is a nightly-only experimental API. (toowned_clone_into)

recently added

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.