Skip to main content

CorrelationConfig

Struct CorrelationConfig 

Source
pub struct CorrelationConfig {
    pub timestamp_fields: Vec<String>,
    pub timestamp_fallback: TimestampFallback,
    pub max_state_entries: usize,
    pub max_group_entries: Option<usize>,
    pub suppress: Option<u64>,
    pub action_on_match: CorrelationAction,
    pub emit_detections: bool,
    pub correlation_event_mode: CorrelationEventMode,
    pub max_correlation_events: usize,
}
Expand description

Configuration for the correlation engine.

Provides engine-level defaults that mirror pySigma backend optional arguments. Per-correlation overrides can be set via SetCustomAttribute pipeline transformations using the rsigma.* attribute namespace.

Fields§

§timestamp_fields: Vec<String>

Field names to try for timestamp extraction, in order of priority.

The engine will try each field until one yields a parseable timestamp. If none succeed, the timestamp_fallback policy applies.

§timestamp_fallback: TimestampFallback

What to do when no timestamp can be extracted from an event.

Default: WallClock (use Utc::now()).

§max_state_entries: usize

Maximum number of state entries (across all correlations and groups) before aggressive eviction is triggered. Prevents unbounded memory growth.

Default: 100_000.

§max_group_entries: Option<usize>

Maximum number of retained entries within a single group’s window state (timestamps for event_count, (timestamp, value) pairs for value_count and the numeric aggregations, per-rule hits for temporal types). Bounds the within-window growth that max_state_entries does not: a group’s deque otherwise grows with timespan x event rate.

When the cap is exceeded the oldest entries are dropped, which can only under-count (aggregates saturate; correlations that would have fired on evicted entries may not). Session windows always keep their oldest entry as the span anchor so truncation cannot silently extend the timespan cap.

None (default) means unbounded, preserving existing behavior. Can be overridden per-correlation via rsigma.max_group_entries.

§suppress: Option<u64>

Default suppression window in seconds.

After a correlation fires for a (correlation, group_key), suppress re-alerts for this duration. None means no suppression (every condition-satisfying event produces an alert).

Can be overridden per-correlation via the rsigma.suppress custom attribute.

§action_on_match: CorrelationAction

Default action to take after a correlation fires.

Can be overridden per-correlation via the rsigma.action custom attribute.

§emit_detections: bool

Whether to emit detection-level matches for rules that are only referenced by correlations (where generate: false).

Default: true (emit all detection matches). Set to false to suppress detection output for correlation-only rules.

§correlation_event_mode: CorrelationEventMode

How to include contributing events in correlation results.

  • None (default): no event storage, zero overhead.
  • Full: events are deflate-compressed and decompressed on output.
  • Refs: only timestamps + event IDs are stored (minimal memory).

Can be overridden per-correlation via rsigma.correlation_event_mode.

§max_correlation_events: usize

Maximum number of events to store per (correlation, group_key) window when correlation_event_mode is not None.

Bounds memory at: max_correlation_events × cost_per_event × active_groups. Default: 10.

Trait Implementations§

Source§

impl Clone for CorrelationConfig

Source§

fn clone(&self) -> CorrelationConfig

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for CorrelationConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for CorrelationConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.