rsigma_eval/result.rs
1//! Match result types for rule evaluation.
2
3use std::collections::HashMap;
4use std::sync::Arc;
5
6use rsigma_parser::Level;
7use serde::Serialize;
8
9/// The result of a rule matching an event.
10///
11/// Contains the matched rule metadata plus details about which
12/// selections and fields triggered the match.
13#[derive(Debug, Clone, Serialize)]
14pub struct MatchResult {
15 /// Title of the matched rule.
16 pub rule_title: String,
17 /// ID of the matched rule (if present).
18 pub rule_id: Option<String>,
19 /// Severity level.
20 pub level: Option<Level>,
21 /// Tags from the matched rule.
22 pub tags: Vec<String>,
23 /// Which named detections (selections) matched.
24 pub matched_selections: Vec<String>,
25 /// Specific field matches that triggered the detection.
26 pub matched_fields: Vec<FieldMatch>,
27 /// The full event that triggered the match, included when the
28 /// `rsigma.include_event` custom attribute is set to `"true"`.
29 #[serde(skip_serializing_if = "Option::is_none")]
30 pub event: Option<serde_json::Value>,
31 /// Custom attributes carried from the original Sigma rule.
32 ///
33 /// Contains the merged view of (a) arbitrary non-standard top-level keys,
34 /// (b) the explicit `custom_attributes:` block, and (c) anything added by
35 /// pipeline `SetCustomAttribute` transformations.
36 /// Wrapped in `Arc` so that per-match cloning is a pointer bump.
37 #[serde(skip_serializing_if = "HashMap::is_empty")]
38 pub custom_attributes: Arc<HashMap<String, serde_json::Value>>,
39}
40
41/// A specific field match within a detection.
42#[derive(Debug, Clone, Serialize)]
43pub struct FieldMatch {
44 /// The field name that matched.
45 pub field: String,
46 /// The event value that triggered the match.
47 pub value: serde_json::Value,
48}