Skip to main content

Module ads

Module ads 

Source
Expand description

ADS (Alerting and Detection Strategy) section vocabulary and reading helpers.

The Palantir ADS framework describes nine sections every production detection should carry: a goal, an ATT&CK categorization, a strategy abstract, technical context, stated blind spots and assumptions, false-positive notes, a true-positive validation recipe, a priority, and a response plan. RSigma already homes four of them on standard Sigma fields (description, tags, falsepositives, level) and carries the rest as plain documentation under a rsigma.ads.* custom-attribute namespace.

ads_catalogue is the single source of truth for that vocabulary: one AdsSectionInfo per section (its stable snake_case id, the field that carries it, whether it is required by default, and a one-line description). The linter, the rsigma rule doc command, the MCP rsigma://ads/schema resource, and the docs all ground on this list. The list is generated by one macro so the same source drives both the catalogue and an exhaustive match: adding an AdsSection variant without a catalogue entry is a compile error.

These values are pure documentation. The engine never interprets them, so they carry zero runtime cost.

§Example

use rsigma_parser::ads::{ads_catalogue, AdsSection};

let sections = ads_catalogue();
assert_eq!(sections.len(), 9);

let goal = sections.iter().find(|s| s.id == "goal").unwrap();
assert!(goal.default_required);
assert_eq!(AdsSection::Goal.carrier_field(), "description");

Structs§

AdsDocument
The assembled ADS document for one rule: every section, its presence, and its content.
AdsScaffoldEntry
One entry of a generated ADS scaffold: a rsigma.ads.* key and a placeholder value for an author or agent to complete.
AdsSectionInfo
Metadata describing one ADS section.
AdsSectionStatus
The status of one ADS section on a rule: which section, whether it is present, and its content when present.

Enums§

AdsCarrier
Where an ADS section’s content lives on a rule.
AdsContent
Rendered content of an ADS section.
AdsSection
One ADS section.

Constants§

ADS_PREFIX
The shared prefix of every rsigma.ads.* custom-attribute key.
EXEMPT_KEY
The rsigma.ads.* custom-attribute key that opts a rule out of ADS enforcement (rsigma.ads.exempt: true).

Functions§

ads_catalogue
Return metadata for every AdsSection, in canonical order.
attack_tags
The attack.* tags on a rule (the ATT&CK categorization carrier).
has_categorization
Whether the rule carries an ATT&CK categorization: an attack.* tag, or a tag in any of the extra_namespaces (a private ATT&CK-adjacent taxonomy a team recognises via the linter’s tag_namespaces setting).
is_exempt
Whether a rule is exempt from ADS enforcement (rsigma.ads.exempt: true).
scaffold_missing
Build placeholder rsigma.ads.* entries for the sections a rule is missing.