Struct CompiledCorrelation 

pub struct CompiledCorrelation {

    pub id: Option<String>,
    pub name: Option<String>,
    pub title: String,
    pub level: Option<Level>,
    pub tags: Vec<String>,
    pub correlation_type: CorrelationType,
    pub rule_refs: Vec<String>,
    pub group_by: Vec<GroupByField>,
    pub timespan_secs: u64,
    pub condition: CompiledCondition,
    pub extended_expr: Option<ConditionExpr>,
    pub generate: bool,
    pub suppress_secs: Option<u64>,
    pub action: Option<CorrelationAction>,
    pub event_mode: Option<CorrelationEventMode>,
    pub max_events: Option<usize>,
}

Compiled form of a CorrelationRule, ready for stateful evaluation.

Fields

id: Option<String>

name: Option<String>

title: String

level: Option<Level>

tags: Vec<String>

correlation_type: CorrelationType

rule_refs: Vec<String>

IDs or names of referenced rules (detection or other correlations).

group_by: Vec<GroupByField>

Resolved group-by fields (may include aliases).

timespan_secs: u64

Time window in seconds.

condition: CompiledCondition

Compiled threshold condition.

extended_expr: Option<ConditionExpr>

Extended boolean condition expression for temporal correlations. When set, evaluates this expression against fired rules instead of a simple threshold count.

generate: bool

Whether referenced detection rules should also generate standalone matches.

suppress_secs: Option<u64>

Per-correlation suppression window in seconds, resolved from the rsigma.suppress custom attribute. None means use engine default.

action: Option<CorrelationAction>

Per-correlation action on match, resolved from the rsigma.action custom attribute. None means use engine default.

event_mode: Option<CorrelationEventMode>

Event inclusion mode for this correlation. None means use the engine default (CorrelationConfig.correlation_event_mode).

max_events: Option<usize>

Maximum events to store per window group for event inclusion. None means use the engine default (CorrelationConfig.max_correlation_events).

Trait Implementations

impl Clone for CompiledCorrelation

fn clone(&self) -> CompiledCorrelation

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for CompiledCorrelation

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.