pub struct Engine { /* private fields */ }Expand description
The main rule evaluation engine.
Holds a set of compiled rules and provides methods to evaluate events against them. Supports optional logsource routing for performance.
§Example
use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{Engine, Event};
use serde_json::json;
let yaml = r#"
title: Detect Whoami
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'whoami'
condition: selection
level: medium
"#;
let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();
let event_val = json!({"CommandLine": "cmd /c whoami"});
let event = Event::from_value(&event_val);
let matches = engine.evaluate(&event);
assert_eq!(matches.len(), 1);
assert_eq!(matches[0].rule_title, "Detect Whoami");Implementations§
Source§impl Engine
impl Engine
Sourcepub fn new_with_pipeline(pipeline: Pipeline) -> Self
pub fn new_with_pipeline(pipeline: Pipeline) -> Self
Create a new engine with a pipeline.
Sourcepub fn set_include_event(&mut self, include: bool)
pub fn set_include_event(&mut self, include: bool)
Set global include_event — when true, all match results include
the full event JSON regardless of per-rule custom attributes.
Sourcepub fn add_pipeline(&mut self, pipeline: Pipeline)
pub fn add_pipeline(&mut self, pipeline: Pipeline)
Add a pipeline to the engine.
Pipelines are applied to rules during add_rule / add_collection.
Only affects rules added after this call.
Sourcepub fn add_rule(&mut self, rule: &SigmaRule) -> Result<()>
pub fn add_rule(&mut self, rule: &SigmaRule) -> Result<()>
Add a single parsed Sigma rule.
If pipelines are set, the rule is cloned and transformed before compilation.
Sourcepub fn add_collection(&mut self, collection: &SigmaCollection) -> Result<()>
pub fn add_collection(&mut self, collection: &SigmaCollection) -> Result<()>
Add all detection rules from a parsed collection, then apply filters.
Filter rules modify referenced detection rules by appending exclusion
conditions. Correlation rules are handled by CorrelationEngine.
Sourcepub fn add_collection_with_pipelines(
&mut self,
collection: &SigmaCollection,
pipelines: &[Pipeline],
) -> Result<()>
pub fn add_collection_with_pipelines( &mut self, collection: &SigmaCollection, pipelines: &[Pipeline], ) -> Result<()>
Add all detection rules from a collection, applying the given pipelines.
This is a convenience method that temporarily sets pipelines, adds the collection, then clears them.
Sourcepub fn apply_filter(&mut self, filter: &FilterRule) -> Result<()>
pub fn apply_filter(&mut self, filter: &FilterRule) -> Result<()>
Apply a filter rule to all referenced detection rules.
For each detection in the filter, compile it and inject it into matching
rules as AND NOT filter_condition.
Sourcepub fn add_compiled_rule(&mut self, rule: CompiledRule)
pub fn add_compiled_rule(&mut self, rule: CompiledRule)
Add a pre-compiled rule directly.
Sourcepub fn evaluate(&self, event: &Event<'_>) -> Vec<MatchResult>
pub fn evaluate(&self, event: &Event<'_>) -> Vec<MatchResult>
Evaluate an event against all rules, returning matches.
Sourcepub fn evaluate_with_logsource(
&self,
event: &Event<'_>,
event_logsource: &LogSource,
) -> Vec<MatchResult>
pub fn evaluate_with_logsource( &self, event: &Event<'_>, event_logsource: &LogSource, ) -> Vec<MatchResult>
Evaluate an event against rules matching the given logsource.
Only rules whose logsource is compatible with event_logsource are
evaluated. A rule’s logsource is compatible if every field it specifies
(category, product, service) matches the corresponding field in the
event logsource.
Sourcepub fn rule_count(&self) -> usize
pub fn rule_count(&self) -> usize
Number of rules loaded in the engine.
Sourcepub fn rules(&self) -> &[CompiledRule]
pub fn rules(&self) -> &[CompiledRule]
Access the compiled rules.