Expand description
Stateful correlation engine with time-windowed aggregation.
CorrelationEngine wraps the stateless Engine and adds support for
Sigma correlation rules: event_count, value_count, temporal,
temporal_ordered, value_sum, value_avg, value_percentile,
and value_median.
§Architecture
- Events are first evaluated against detection rules (stateless)
- Detection matches update correlation window state (stateful)
- When a correlation condition is met, a
CorrelationResultis emitted - Correlation results can chain into higher-level correlations
Structs§
- Correlation
Config - Configuration for the correlation engine.
- Correlation
Engine - Stateful correlation engine.
- Correlation
Info - Static description of one compiled correlation.
- Correlation
Snapshot - Serializable snapshot of all mutable correlation state.
- Correlation
State Snapshot - A snapshot of every compiled correlation and its live per-group window
state at the moment
CorrelationEngine::introspectwas called. - Group
KeyPart - One field of a resolved group key.
- Group
State Info - Live state of one
(correlation, group_key)window.
Enums§
- Correlation
Action - What to do with window state after a correlation fires.
- Correlation
Event Mode - How to include events in correlation results.
- Timestamp
Fallback - Behavior when no timestamp field is found or parseable in an event.
Type Aliases§
- Process
Result - All
EvaluationResults produced for a single input event.