Skip to main content

Transformation

rsigma_eval::pipeline::transformations

Enum Transformation 

Source 
pub enum Transformation {

Show 26 variants    FieldNameMapping {
        mapping: HashMap<String, String>,
    },
    FieldNamePrefixMapping {
        mapping: HashMap<String, String>,
    },
    FieldNamePrefix {
        prefix: String,
    },
    FieldNameSuffix {
        suffix: String,
    },
    DropDetectionItem,
    AddCondition {
        conditions: HashMap<String, SigmaValue>,
        negated: bool,
    },
    ChangeLogsource {
        category: Option<String>,
        product: Option<String>,
        service: Option<String>,
    },
    ReplaceString {
        regex: String,
        replacement: String,
        skip_special: bool,
    },
    ValuePlaceholders,
    WildcardPlaceholders,
    QueryExpressionPlaceholders {
        expression: String,
    },
    SetState {
        key: String,
        value: String,
    },
    RuleFailure {
        message: String,
    },
    DetectionItemFailure {
        message: String,
    },
    FieldNameTransform {
        transform_func: String,
        mapping: HashMap<String, String>,
    },
    HashesFields {
        valid_hash_algos: Vec<String>,
        field_prefix: String,
        drop_algo_prefix: bool,
    },
    MapString {
        mapping: HashMap<String, Vec<String>>,
    },
    SetValue {
        value: SigmaValue,
    },
    ConvertType {
        target_type: String,
    },
    Regex,
    AddField {
        field: String,
    },
    RemoveField {
        field: String,
    },
    SetField {
        fields: Vec<String>,
    },
    SetCustomAttribute {
        attribute: String,
        value: String,
    },
    CaseTransformation {
        case_type: String,
    },
    Nest {
        items: Vec<TransformationItem>,
    },

}
Expand description

All supported pipeline transformation types.

Variants§

§

FieldNameMapping

Map field names via a lookup table.

Fields

§mapping: HashMap<String, String>
§

FieldNamePrefixMapping

Map field name prefixes.

Fields

§mapping: HashMap<String, String>
§

FieldNamePrefix

Add a prefix to all matched field names.

Fields

§prefix: String
§

FieldNameSuffix

Add a suffix to all matched field names.

Fields

§suffix: String
§

DropDetectionItem

Remove matching detection items.

§

AddCondition

Add field=value conditions to the rule’s detection.

Fields

§conditions: HashMap<String, SigmaValue>
§negated: bool

If true, negate the added conditions.

§

ChangeLogsource

Replace logsource fields.

Fields

§category: Option<String>
§product: Option<String>
§service: Option<String>
§

ReplaceString

Regex replacement in string values.

When skip_special is true, replacement is applied only to the plain (non-wildcard) segments of SigmaString, preserving * and ? wildcards. Mirrors pySigma’s ReplaceStringTransformation.skip_special.

Fields

§regex: String
§replacement: String
§skip_special: bool
§

ValuePlaceholders

Expand %name% placeholders with pipeline variables.

§

WildcardPlaceholders

Replace unresolved %name% placeholders with * wildcard.

§

QueryExpressionPlaceholders

Store expression template (no-op for eval, kept for YAML compat).

Fields

§expression: String
§

SetState

Set key-value in pipeline state.

Fields

§key: String
§value: String
§

RuleFailure

Fail if rule conditions match.

Fields

§message: String
§

DetectionItemFailure

Fail if detection item conditions match.

Fields

§message: String
§

FieldNameTransform

Apply a named function to field names (lowercase, uppercase, etc.). In pySigma this takes a Python callable; we support named functions.

Fields

§transform_func: String

One of: “lower”, “upper”, “title”, “snake_case”

§mapping: HashMap<String, String>

Explicit overrides: field → new_name (applied instead of the function).

§

HashesFields

Decompose the Hashes field into per-algorithm fields.

Hashes: "SHA1=abc,MD5=def"FileSHA1: abc + FileMD5: def

Fields

§valid_hash_algos: Vec<String>

Allowed hash algorithms (e.g. ["MD5", "SHA1", "SHA256"]).

§field_prefix: String

Prefix for generated field names (e.g. "File"FileMD5).

§drop_algo_prefix: bool

If true, omit algo name from field (use just prefix).

§

MapString

Map string values via a lookup table.

Supports one-to-many mapping: a single value can map to multiple alternatives (pySigma compat). When one-to-many is used, the detection item’s values list is expanded in place.

Fields

§mapping: HashMap<String, Vec<String>>
§

SetValue

Set all values of matching detection items to a fixed value.

Fields

§value: SigmaValue
§

ConvertType

Convert detection item values to a different type. Supported: “str”, “int”, “float”, “bool”.

Fields

§target_type: String
§

Regex

Convert plain string values to regex patterns.

§

AddField

Add a field name to the rule’s output fields list.

Fields

§field: String
§

RemoveField

Remove a field name from the rule’s output fields list.

Fields

§field: String
§

SetField

Set (replace) the rule’s output fields list.

Fields

§fields: Vec<String>
§

SetCustomAttribute

Set a custom attribute on the rule.

Stores the key-value pair in SigmaRule.custom_attributes as a serde_yaml::Value::String. Backends / engines can read these to modify per-rule behavior (e.g. rsigma.suppress, rsigma.action). Mirrors pySigma’s SetCustomAttributeTransformation.

Fields

§attribute: String
§value: String
§

CaseTransformation

Apply a case transformation to string values. Supported: “lower”, “upper”, “snake_case”.

Fields

§case_type: String
§

Nest

Nested sub-pipeline: apply a list of transformations as a group. The inner items share the same conditions as the outer item.

Implementations§

Source§

impl Transformation

Source

pub fn apply( &self, rule: &mut SigmaRule, state: &mut PipelineState, detection_item_conditions: &[DetectionItemCondition], field_name_conditions: &[FieldNameCondition], field_name_cond_not: bool, ) -> Result<bool>

Apply this transformation to a SigmaRule, mutating it in place.

Returns Ok(true) if the transformation was applied, Ok(false) if skipped.

Trait Implementations§

Source§

impl Clone for Transformation

Source§

fn clone(&self) -> Transformation

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Transformation

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.