Skip to main content

CorrelationConfig

rsigma_eval::correlation_engine

Struct CorrelationConfig 

Source 
pub struct CorrelationConfig {
    pub timestamp_fields: Vec<String>,
    pub timestamp_fallback: TimestampFallback,
    pub max_state_entries: usize,
    pub suppress: Option<u64>,
    pub action_on_match: CorrelationAction,
    pub emit_detections: bool,
    pub correlation_event_mode: CorrelationEventMode,
    pub max_correlation_events: usize,
}
Expand description

Configuration for the correlation engine.

Provides engine-level defaults that mirror pySigma backend optional arguments. Per-correlation overrides can be set via SetCustomAttribute pipeline transformations using the rsigma.* attribute namespace.

Fields§

§timestamp_fields: Vec<String>

Field names to try for timestamp extraction, in order of priority.

The engine will try each field until one yields a parseable timestamp. If none succeed, the timestamp_fallback policy applies.

§timestamp_fallback: TimestampFallback

What to do when no timestamp can be extracted from an event.

Default: WallClock (use Utc::now()).

§max_state_entries: usize

Maximum number of state entries (across all correlations and groups) before aggressive eviction is triggered. Prevents unbounded memory growth.

Default: 100_000.

§suppress: Option<u64>

Default suppression window in seconds.

After a correlation fires for a (correlation, group_key), suppress re-alerts for this duration. None means no suppression (every condition-satisfying event produces an alert).

Can be overridden per-correlation via the rsigma.suppress custom attribute.

§action_on_match: CorrelationAction

Default action to take after a correlation fires.

Can be overridden per-correlation via the rsigma.action custom attribute.

§emit_detections: bool

Whether to emit detection-level matches for rules that are only referenced by correlations (where generate: false).

Default: true (emit all detection matches). Set to false to suppress detection output for correlation-only rules.

§correlation_event_mode: CorrelationEventMode

How to include contributing events in correlation results.

  • None (default): no event storage, zero overhead.
  • Full: events are deflate-compressed and decompressed on output.
  • Refs: only timestamps + event IDs are stored (minimal memory).

Can be overridden per-correlation via rsigma.correlation_event_mode.

§max_correlation_events: usize

Maximum number of events to store per (correlation, group_key) window when correlation_event_mode is not None.

Bounds memory at: max_correlation_events × cost_per_event × active_groups. Default: 10.

Trait Implementations§

Source§

impl Clone for CorrelationConfig

Source§

fn clone(&self) -> CorrelationConfig

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for CorrelationConfig

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for CorrelationConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.