ecs_types

Struct Rule

Source 
pub struct Rule { /* private fields */ }
Expand description

Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.

Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.

Implementations§

Source§

impl Rule

Source

pub fn get_id(&self) -> Option<&String>

A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.

Source

pub fn set_id(&mut self, id_arg: String)

A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.

§Example

101

Source

pub fn get_uuid(&self) -> Option<&String>

A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.

Source

pub fn set_uuid(&mut self, uuid_arg: String)

A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.

§Example

1100110011

Source

pub fn get_version(&self) -> Option<&String>

The version / revision of the rule being used for analysis.

Source

pub fn set_version(&mut self, version_arg: String)

The version / revision of the rule being used for analysis.

§Example

1.1

Source

pub fn get_name(&self) -> Option<&String>

The name of the rule or signature generating the event.

Source

pub fn set_name(&mut self, name_arg: String)

The name of the rule or signature generating the event.

§Example

BLOCK_DNS_over_TLS

Source

pub fn get_description(&self) -> Option<&String>

The description of the rule generating the event.

Source

pub fn set_description(&mut self, description_arg: String)

The description of the rule generating the event.

§Example

Block requests to public DNS over HTTPS / TLS protocols

Source

pub fn get_category(&self) -> Option<&String>

A categorization value keyword used by the entity using the rule for detection of this event.

Source

pub fn set_category(&mut self, category_arg: String)

A categorization value keyword used by the entity using the rule for detection of this event.

§Example

Attempted Information Leak

Source

pub fn get_ruleset(&self) -> Option<&String>

Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.

Source

pub fn set_ruleset(&mut self, ruleset_arg: String)

Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.

§Example

Standard_Protocol_Filters

Source

pub fn get_reference(&self) -> Option<&String>

Reference URL to additional information about the rule used to generate this event.

The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.

Source

pub fn set_reference(&mut self, reference_arg: String)

Reference URL to additional information about the rule used to generate this event.

The URL can point to the vendor’s documentation about the rule. If that’s not available, it can also be a link to a more general page describing this type of alert.

§Example

https://en.wikipedia.org/wiki/DNS_over_TLS

Source

pub fn get_author(&self) -> &Vec<String>

Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.

Source

pub fn add_author(&mut self, author_arg: String)

Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.

§Example

["Star-Lord"]

Source

pub fn get_license(&self) -> Option<&String>

Name of the license under which the rule used to generate this event is made available.

Source

pub fn set_license(&mut self, license_arg: String)

Name of the license under which the rule used to generate this event is made available.

§Example

Apache 2.0

Trait Implementations§

Source§

impl Clone for Rule

Source§

fn clone(&self) -> Rule

Returns a duplicate of the value. Read more
1.0.0 · Source§

const fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Default for Rule

Source§

fn default() -> Rule

Returns the “default value” for a type. Read more
Source§

impl Serialize for Rule

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations§

§

impl Freeze for Rule

§

impl RefUnwindSafe for Rule

§

impl Send for Rule

§

impl Sync for Rule

§

impl Unpin for Rule

§

impl UnwindSafe for Rule

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.