u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

use serde::{Deserialize, Serialize};

use crate::events::ip::SiemIp;

use super::{
    common::UserRole,
    mitre::{MitreTactics, MitreTechniques},
};

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct ParserDefinition {
    pub name: String,
    pub description: String,
}
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct TaskDefinition {
    pub name: String,
    pub description: String,
}
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct RuleDefinition {
    pub name: String,
    pub description: String,
    pub mitre: (Vec<MitreTactics>, Vec<MitreTechniques>),
    pub service: String,
}
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct FilterEmail {
    pub email: String,
    pub comment: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct FilterDomain {
    pub domain: String,
    pub comment: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct FilterIp {
    pub ip: SiemIp,
    pub comment: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct IsolateEndpoint {
    pub hostname: String,
    pub comment: String,
}
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct IsolateIp {
    pub ip: SiemIp,
    pub comment: String,
}
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct UseCaseDefinition {
    /// Name of the Use Case
    pub name: String,
    /// Description of the Use Case and what is intended
    pub description: String,
    /// Abstraction of the logic involved
    pub case_logic: String,
    /// What cannot detect this use case
    pub limitations: String,
    /// Device requirements: Product, Service, Category => AND conditioned
    pub requirements: (Option<String>, Option<String>, Option<String>),
    /// Rule for detecting this Use Case. Only the name
    pub rule: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
#[non_exhaustive]
pub enum LoginUser {
    Password(LoginUserPass),
    ApiKey(String),
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct LoginUserPass {
    pub username: String,
    pub password: String,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct LoggedOnUser {
    pub username: String,
    pub role: UserRole,
}