Struct CorrelationEngine 

pub struct CorrelationEngine { /* private fields */ }

Stateful correlation engine.

Wraps the stateless Engine for detection rules and adds time-windowed correlation on top. Supports all 7 Sigma correlation types and chaining.

Implementations

impl CorrelationEngine

pub fn new(config: CorrelationConfig) -> Self

Create a new correlation engine with the given configuration.

pub fn add_pipeline(&mut self, pipeline: Pipeline)

Add a pipeline to the engine.

Pipelines are applied to rules during add_rule / add_collection.

pub fn set_include_event(&mut self, include: bool)

Set global include_event on the inner detection engine.

pub fn set_correlation_event_mode(&mut self, mode: CorrelationEventMode)

Set the global correlation event mode.

• None: no event storage (default)
• Full: compressed event bodies
• Refs: lightweight timestamp + ID references

pub fn set_max_correlation_events(&mut self, max: usize)

Set the maximum number of events to store per correlation window group. Only meaningful when correlation_event_mode is not None.

pub fn add_rule(&mut self, rule: &SigmaRule) -> Result<()>

Add a single detection rule.

If pipelines are set, the rule is cloned and transformed before compilation. The inner engine receives the already-transformed rule directly (not through its own pipeline, to avoid double transformation).

pub fn add_correlation(&mut self, corr: &CorrelationRule) -> Result<()>

Add a single correlation rule.

pub fn add_collection(&mut self, collection: &SigmaCollection) -> Result<()>

Add all rules and correlations from a parsed collection.

Detection rules are added first (so they’re available for correlation references), then correlation rules.

pub fn process_event(&mut self, event: &Event<'_>) -> ProcessResult

Process an event, extracting the timestamp from configured event fields.

When no timestamp field is found, the timestamp_fallback policy applies:

• WallClock: use Utc::now() (good for real-time streaming)
• Skip: return detections only, skip correlation state updates

pub fn process_event_at( &mut self, event: &Event<'_>, timestamp_secs: i64, ) -> ProcessResult

Process an event with an explicit Unix epoch timestamp (seconds).

The timestamp is clamped to [0, i64::MAX / 2] to prevent overflow when adding timespan durations internally.

pub fn evict_expired(&mut self, now_secs: i64)

Manually evict all expired state entries.

pub fn state_count(&self) -> usize

Number of active state entries (for monitoring).

pub fn detection_rule_count(&self) -> usize

Number of detection rules loaded.

pub fn correlation_rule_count(&self) -> usize

Number of correlation rules loaded.

pub fn event_buffer_count(&self) -> usize

Number of active event buffers (for monitoring).

pub fn event_buffer_bytes(&self) -> usize

Total compressed bytes across all event buffers (for monitoring).

pub fn event_ref_buffer_count(&self) -> usize

Number of active event ref buffers — Refs mode (for monitoring).

pub fn engine(&self) -> &Engine

Access the inner stateless engine.

pub fn export_state(&self) -> CorrelationSnapshot

Export all mutable correlation state as a serializable snapshot.

The snapshot uses stable correlation identifiers (id > name > title) instead of internal indices, so it survives rule reloads as long as the correlation rules keep the same identifiers.

pub fn import_state(&mut self, snapshot: CorrelationSnapshot) -> bool

Import previously exported state, mapping stable identifiers back to current correlation indices. Entries whose identifiers no longer match any loaded correlation are silently dropped.

Returns false (and imports nothing) if the snapshot version is incompatible with the current schema.

Trait Implementations

impl Default for CorrelationEngine

fn default() -> Self

Returns the “default value” for a type.