Skip to main content

Detection

rsigma_parser::ast

Enum Detection 

Source 
pub enum Detection {
    AllOf(Vec<DetectionItem>),
    AnyOf(Vec<Detection>),
    Keywords(Vec<SigmaValue>),
    ArrayMatch {
        field: String,
        quantifier: ArrayQuantifier,
        body: Box<Detection>,
    },
    And(Vec<Detection>),
    Conditional {
        named: HashMap<String, Detection>,
        condition: ConditionExpr,
    },
}
Expand description

A detection definition: a group of detection items or nested detections.

When constructed from a YAML mapping, items are AND-linked. When constructed from a YAML list of mappings, sub-detections are OR-linked.

Reference: pySigma rule/detection.py SigmaDetection

Variants§

§

AllOf(Vec<DetectionItem>)

AND-linked detection items (from a YAML mapping).

§

AnyOf(Vec<Detection>)

OR-linked sub-detections (from a YAML list of mappings).

§

Keywords(Vec<SigmaValue>)

Keyword detection: plain value(s) without a field.

§

ArrayMatch

Array object-scope quantifier block: field[any]: / field[all]: opening a nested detection that is evaluated against a single array member.

  • field is the dot-path to the array (quantifier markers stripped).
  • quantifier decides whether one (any) or every (all) member must satisfy body.
  • body is the nested detection applied per member. A body item with no field name (FieldSpec::name == None) matches the array member value itself (the scalar-array case field[all]: value).

This is the only construct that expresses same-member correlation across multiple predicates, and the only one that lowers cleanly to backend array primitives (Elasticsearch nested, KQL mv-apply, SQL jsonb_array_elements, Splunk mvexpand).

Fields

§field: String

Dot-path to the array field (quantifier markers stripped).

§quantifier: ArrayQuantifier

Whether one or all members must satisfy body.

§body: Box<Detection>

Nested detection evaluated against a single array member.

§

And(Vec<Detection>)

AND of heterogeneous sub-detections. Produced when a YAML mapping mixes plain detection items with one or more array object-scope blocks, which Detection::AllOf (a list of simple items) cannot represent.

§

Conditional

Extended object-scope block body: named element-scoped sub-selections combined by a condition expression (the recursive “mini-event” form), enabling per-element and/or/not. Produced only as an ArrayMatch body when the block map carries a condition: key. The basic conjunction-map body is the degenerate case (an implicit AND of items); this is the explicit-condition form.

Fields

§named: HashMap<String, Detection>

Element-scoped named sub-selections (each a nested detection).

§condition: ConditionExpr

Boolean combination of the named sub-selections, evaluated per array member.

Trait Implementations§

Source§

impl Clone for Detection

Source§

fn clone(&self) -> Detection

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Detection

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PartialEq for Detection

Source§

fn eq(&self, other: &Detection) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for Detection

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for Detection

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.