pub enum AdsSection {
Goal,
Categorization,
Strategy,
TechnicalContext,
BlindSpots,
FalsePositives,
Validation,
Priority,
Response,
}Expand description
One ADS section.
Reference: Palantir Alerting and Detection Strategy framework.
Variants§
Goal
What the detection is trying to catch (carried by description).
Categorization
The ATT&CK categorization (carried by attack.* tags).
Strategy
A one-paragraph abstract of the detection approach.
TechnicalContext
The data source, fields, and environment knowledge the detection needs.
BlindSpots
How an attacker could evade the detection, and what it assumes.
FalsePositives
Known benign triggers (carried by falsepositives).
Validation
A recipe that produces a true-positive event the detection fires on.
Priority
Why the detection’s level is what it is (the priority rationale).
Response
What an analyst should do when the detection fires.
Implementations§
Source§impl AdsSection
impl AdsSection
Sourcepub fn all() -> &'static [AdsSection]
pub fn all() -> &'static [AdsSection]
All sections, in canonical order.
Sourcepub fn from_id(id: &str) -> Option<AdsSection>
pub fn from_id(id: &str) -> Option<AdsSection>
Look up a section by its stable snake_case id.
Sourcepub fn info(&self) -> AdsSectionInfo
pub fn info(&self) -> AdsSectionInfo
This section’s catalogue metadata.
Sourcepub fn carrier(&self) -> AdsCarrier
pub fn carrier(&self) -> AdsCarrier
The carrier of this section’s content.
Sourcepub fn carrier_field(&self) -> &'static str
pub fn carrier_field(&self) -> &'static str
The field name or attribute key that carries this section.
Sourcepub fn default_required(&self) -> bool
pub fn default_required(&self) -> bool
Whether this section is required by default.
Sourcepub fn content(&self, rule: &SigmaRule) -> Option<AdsContent>
pub fn content(&self, rule: &SigmaRule) -> Option<AdsContent>
Extract this section’s content from a rule, or None when the section
is absent or blank.
Sourcepub fn is_present(&self, rule: &SigmaRule) -> bool
pub fn is_present(&self, rule: &SigmaRule) -> bool
Whether this section’s content is present and non-blank on the rule.
Trait Implementations§
Source§impl Clone for AdsSection
impl Clone for AdsSection
Source§fn clone(&self) -> AdsSection
fn clone(&self) -> AdsSection
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreimpl Copy for AdsSection
Source§impl Debug for AdsSection
impl Debug for AdsSection
impl Eq for AdsSection
Source§impl Hash for AdsSection
impl Hash for AdsSection
Source§impl PartialEq for AdsSection
impl PartialEq for AdsSection
Source§fn eq(&self, other: &AdsSection) -> bool
fn eq(&self, other: &AdsSection) -> bool
self and other values to be equal, and is used by ==.Source§impl Serialize for AdsSection
impl Serialize for AdsSection
impl StructuralPartialEq for AdsSection
Auto Trait Implementations§
impl Freeze for AdsSection
impl RefUnwindSafe for AdsSection
impl Send for AdsSection
impl Sync for AdsSection
impl Unpin for AdsSection
impl UnsafeUnpin for AdsSection
impl UnwindSafe for AdsSection
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
Source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
key and return true if they are equal.