Expand description
ADS (Alerting and Detection Strategy) section vocabulary and reading helpers.
The Palantir ADS framework describes nine sections every production
detection should carry: a goal, an ATT&CK categorization, a strategy
abstract, technical context, stated blind spots and assumptions,
false-positive notes, a true-positive validation recipe, a priority, and a
response plan. RSigma already homes four of them on standard Sigma fields
(description, tags, falsepositives, level) and carries the rest as
plain documentation under a rsigma.ads.* custom-attribute namespace.
ads_catalogue is the single source of truth for that vocabulary: one
AdsSectionInfo per section (its stable snake_case id, the field that
carries it, whether it is required by default, and a one-line description).
The linter, the rsigma rule doc command, the MCP rsigma://ads/schema
resource, and the docs all ground on this list. The list is generated by one
macro so the same source drives both the catalogue and an exhaustive
match: adding an AdsSection variant without a catalogue entry is a
compile error.
These values are pure documentation. The engine never interprets them, so they carry zero runtime cost.
§Example
use rsigma_parser::ads::{ads_catalogue, AdsSection};
let sections = ads_catalogue();
assert_eq!(sections.len(), 9);
let goal = sections.iter().find(|s| s.id == "goal").unwrap();
assert!(goal.default_required);
assert_eq!(AdsSection::Goal.carrier_field(), "description");Structs§
- AdsDocument
- The assembled ADS document for one rule: every section, its presence, and its content.
- AdsScaffold
Entry - One entry of a generated ADS scaffold: a
rsigma.ads.*key and a placeholder value for an author or agent to complete. - AdsSection
Info - Metadata describing one ADS section.
- AdsSection
Status - The status of one ADS section on a rule: which section, whether it is present, and its content when present.
Enums§
- AdsCarrier
- Where an ADS section’s content lives on a rule.
- AdsContent
- Rendered content of an ADS section.
- AdsSection
- One ADS section.
Constants§
- ADS_
PREFIX - The shared prefix of every
rsigma.ads.*custom-attribute key. - EXEMPT_
KEY - The
rsigma.ads.*custom-attribute key that opts a rule out of ADS enforcement (rsigma.ads.exempt: true).
Functions§
- ads_
catalogue - Return metadata for every
AdsSection, in canonical order. - attack_
tags - The
attack.*tags on a rule (the ATT&CK categorization carrier). - has_
categorization - Whether the rule carries an ATT&CK categorization: an
attack.*tag, or a tag in any of theextra_namespaces(a private ATT&CK-adjacent taxonomy a team recognises via the linter’stag_namespacessetting). - is_
exempt - Whether a rule is exempt from ADS enforcement (
rsigma.ads.exempt: true). - scaffold_
missing - Build placeholder
rsigma.ads.*entries for the sections a rule is missing.