Module correlation_engine 

Stateful correlation engine with time-windowed aggregation.

CorrelationEngine wraps the stateless Engine and adds support for Sigma correlation rules: event_count, value_count, temporal, temporal_ordered, value_sum, value_avg, value_percentile, and value_median.

Architecture

1. Events are first evaluated against detection rules (stateless)
2. Detection matches update correlation window state (stateful)
3. When a correlation condition is met, a CorrelationResult is emitted
4. Correlation results can chain into higher-level correlations

Structs

CorrelationConfig

Configuration for the correlation engine.

CorrelationEngine

Stateful correlation engine.

CorrelationResult

The result of a correlation rule firing.

CorrelationSnapshot

Serializable snapshot of all mutable correlation state.

ProcessResult

Combined result from processing a single event.

Enums

CorrelationAction

What to do with window state after a correlation fires.

CorrelationEventMode

How to include events in correlation results.

TimestampFallback

Behavior when no timestamp field is found or parseable in an event.