Struct CorrelationEngine 

pub struct CorrelationEngine { /* private fields */ }

Stateful correlation engine.

Wraps the stateless Engine for detection rules and adds time-windowed correlation on top. Supports all 7 Sigma correlation types and chaining.

Implementations

impl CorrelationEngine

pub fn new(config: CorrelationConfig) -> Self

Create a new correlation engine with the given configuration.

pub fn add_pipeline(&mut self, pipeline: Pipeline)

Add a pipeline to the engine.

Pipelines are applied to rules during add_rule / add_collection.

pub fn set_include_event(&mut self, include: bool)

Set global include_event on the inner detection engine.

pub fn set_correlation_event_mode(&mut self, mode: CorrelationEventMode)

Set the global correlation event mode.

• None: no event storage (default)
• Full: compressed event bodies
• Refs: lightweight timestamp + ID references

pub fn set_max_correlation_events(&mut self, max: usize)

Set the maximum number of events to store per correlation window group. Only meaningful when correlation_event_mode is not None.

pub fn add_rule(&mut self, rule: &SigmaRule) -> Result<()>

Add a single detection rule.

If pipelines are set, the rule is cloned and transformed before compilation. The inner engine receives the already-transformed rule directly (not through its own pipeline, to avoid double transformation).

pub fn add_correlation(&mut self, corr: &CorrelationRule) -> Result<()>

Add a single correlation rule.

pub fn add_collection(&mut self, collection: &SigmaCollection) -> Result<()>

Add all rules and correlations from a parsed collection.

Detection rules are added first (so they’re available for correlation references), then correlation rules.

pub fn process_event(&mut self, event: &Event<'_>) -> ProcessResult

Process an event, extracting the timestamp from configured event fields.

When no timestamp field is found, the timestamp_fallback policy applies:

• WallClock: use Utc::now() (good for real-time streaming)
• Skip: return detections only, skip correlation state updates

pub fn process_event_at( &mut self, event: &Event<'_>, timestamp_secs: i64, ) -> ProcessResult

Process an event with an explicit Unix epoch timestamp (seconds).

The timestamp is clamped to [0, i64::MAX / 2] to prevent overflow when adding timespan durations internally.

pub fn evict_expired(&mut self, now_secs: i64)

Manually evict all expired state entries.

pub fn state_count(&self) -> usize

Number of active state entries (for monitoring).

pub fn detection_rule_count(&self) -> usize

Number of detection rules loaded.

pub fn correlation_rule_count(&self) -> usize

Number of correlation rules loaded.

pub fn event_buffer_count(&self) -> usize

Number of active event buffers (for monitoring).

pub fn event_buffer_bytes(&self) -> usize

Total compressed bytes across all event buffers (for monitoring).

pub fn event_ref_buffer_count(&self) -> usize

Number of active event ref buffers — Refs mode (for monitoring).

pub fn engine(&self) -> &Engine

Access the inner stateless engine.

Trait Implementations

impl Default for CorrelationEngine

fn default() -> Self

Returns the “default value” for a type.