Expand description
Rule-field extraction shared between rsigma rule fields and the daemon’s
field-observability endpoints.
RuleFieldSet::collect walks a SigmaCollection (after optional
pipeline transformations are applied) and records every field name
referenced by detection items, correlation group-by / threshold / alias
fields, filter detections, and rule-level fields: metadata. The result
tracks per-field provenance (rule titles + source kinds) so callers can
decide whether to surface a finding as a gap signal, a broken-coverage
signal, or a coverage summary.
The CLI command rsigma rule fields and the daemon’s
GET /api/v1/fields/* endpoints share this implementation so the
field set the operator inspects offline matches exactly what the engine
references at runtime.
Structs§
- Field
Origin - Provenance for a single field name across the loaded rule set.
- Rule
Field Set - Set of field names referenced by a loaded
SigmaCollection, optionally after applying processing pipelines.
Enums§
- Field
Source - Where in a rule a field reference came from.