pub struct Disposition {
pub rule_id: Option<String>,
pub verdict: Verdict,
pub scope: DispositionScope,
pub fingerprint: Option<String>,
pub incident_id: Option<String>,
pub timestamp: i64,
pub analyst: Option<String>,
pub note: Option<String>,
}Expand description
A validated, normalized disposition ready for the store.
rule_id is None only for an incident-scoped record that the daemon has
not yet resolved to its contributing rules; the store rejects such a record
until a rule_id is supplied.
Fields§
§rule_id: Option<String>The rule identity the verdict accounts against (the rule’s id, with the title as the fallback the per-rule metrics already use).
verdict: VerdictThe analyst verdict.
scope: DispositionScopeDetection- or incident-scoped.
fingerprint: Option<String>The alert-pipeline dedup fingerprint, when carried.
incident_id: Option<String>The alert-pipeline incident id, required for incident scope.
timestamp: i64Epoch seconds for rolling-window placement (defaults to ingest time).
analyst: Option<String>Optional analyst identity, recorded for traceability.
note: Option<String>Optional bounded free-text note, recorded for traceability.
Implementations§
Source§impl Disposition
impl Disposition
Sourcepub fn from_raw(raw: RawDisposition, now: i64) -> Result<Self, DispositionError>
pub fn from_raw(raw: RawDisposition, now: i64) -> Result<Self, DispositionError>
Validate and normalize a RawDisposition, using now (epoch seconds)
as the default timestamp when none is supplied.
Sourcepub fn dedup_key(&self) -> String
pub fn dedup_key(&self) -> String
The idempotency key for redelivery dedup: (fingerprint or incident_id, verdict, rule_id) when an alert identity is present, otherwise
(rule_id, timestamp, analyst).
The rule_id is always part of the key. It is redundant for a
fingerprint (which already identifies a single rule’s alert) but
essential for an incident_id, which fans out to every contributing
rule: without it, the per-rule records an incident expands into would
collapse to one and only the first rule would be counted.
Trait Implementations§
Source§impl Clone for Disposition
impl Clone for Disposition
Source§fn clone(&self) -> Disposition
fn clone(&self) -> Disposition
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for Disposition
impl Debug for Disposition
Source§impl PartialEq for Disposition
impl PartialEq for Disposition
Source§fn eq(&self, other: &Disposition) -> bool
fn eq(&self, other: &Disposition) -> bool
self and other values to be equal, and is used by ==.impl StructuralPartialEq for Disposition
Auto Trait Implementations§
impl Freeze for Disposition
impl RefUnwindSafe for Disposition
impl Send for Disposition
impl Sync for Disposition
impl Unpin for Disposition
impl UnsafeUnpin for Disposition
impl UnwindSafe for Disposition
Blanket Implementations§
Source§impl<T> AnyExt for T
impl<T> AnyExt for T
Source§fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
T behind referenceSource§fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
T behind mutable referenceSource§fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
T behind Rc pointerSource§fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
T behind Arc pointerSource§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
fn coerce_rc_to(self: Rc<X>) -> Rc<T>
fn coerce_box_to(self: Box<X>) -> Box<T>
fn coerce_ref_to(&self) -> &T
fn coerce_mut_to(&mut self) -> &mut T
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more