pub struct RiskIncidentResult {Show 16 fields
pub risk_incident_id: String,
pub entity_type: String,
pub entity_value: String,
pub trigger: &'static str,
pub score: i64,
pub score_threshold: Option<i64>,
pub tactic_count: u64,
pub tactic_count_threshold: Option<u64>,
pub tactics: Vec<String>,
pub sources: Vec<String>,
pub source_count: u64,
pub window_start: i64,
pub window_end: i64,
pub result_count: u64,
pub refs: Option<Vec<RiskRef>>,
pub results: Option<Vec<Value>>,
}Expand description
The wire shape emitted when an entity crosses a risk threshold. One flat
NDJSON object, disambiguated downstream by the presence of risk_incident_id.
Fields§
§risk_incident_id: StringSurrogate UUIDv4 identity for this incident.
entity_type: StringThe risk-object type, e.g. user.
entity_value: StringThe entity value, e.g. alice.
trigger: &'static strWhat crossed the threshold: score or tactic_count.
score: i64The accumulated risk score over the window.
score_threshold: Option<i64>The configured score threshold, when set.
tactic_count: u64The distinct ATT&CK tactic count over the window.
tactic_count_threshold: Option<u64>The configured tactic-count threshold, when set.
tactics: Vec<String>The distinct ATT&CK tactics contributing over the window.
sources: Vec<String>The distinct contributing sources (rule identities) over the window,
bounded by max_sources_per_entity.
source_count: u64The distinct contributing-source count over the window.
window_start: i64First and last contributing-detection timestamps (unix seconds).
window_end: i64§result_count: u64Number of contributing detections retained over the window.
refs: Option<Vec<RiskRef>>Contributing references (include: refs), bounded by
max_results_per_incident.
results: Option<Vec<Value>>Contributing results (include: results), event payloads stripped and
stored as serialized JSON values, bounded by max_results_per_incident.
Trait Implementations§
Source§impl Clone for RiskIncidentResult
impl Clone for RiskIncidentResult
Source§fn clone(&self) -> RiskIncidentResult
fn clone(&self) -> RiskIncidentResult
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for RiskIncidentResult
impl Debug for RiskIncidentResult
Auto Trait Implementations§
impl Freeze for RiskIncidentResult
impl RefUnwindSafe for RiskIncidentResult
impl Send for RiskIncidentResult
impl Sync for RiskIncidentResult
impl Unpin for RiskIncidentResult
impl UnsafeUnpin for RiskIncidentResult
impl UnwindSafe for RiskIncidentResult
Blanket Implementations§
Source§impl<T> AnyExt for T
impl<T> AnyExt for T
Source§fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
fn downcast_ref<T>(this: &Self) -> Option<&T>where
T: Any,
T behind referenceSource§fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
fn downcast_mut<T>(this: &mut Self) -> Option<&mut T>where
T: Any,
T behind mutable referenceSource§fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
fn downcast_rc<T>(this: Rc<Self>) -> Result<Rc<T>, Rc<Self>>where
T: Any,
T behind Rc pointerSource§fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
fn downcast_arc<T>(this: Arc<Self>) -> Result<Arc<T>, Arc<Self>>where
T: Any,
T behind Arc pointerSource§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
impl<T, X> CoerceTo<T> for Xwhere
T: CoerceFrom<X> + ?Sized,
fn coerce_rc_to(self: Rc<X>) -> Rc<T>
fn coerce_box_to(self: Box<X>) -> Box<T>
fn coerce_ref_to(&self) -> &T
fn coerce_mut_to(&mut self) -> &mut T
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more