pub struct Rule {Show 19 fields
pub title: String,
pub id: Option<String>,
pub name: Option<String>,
pub related: Option<Vec<Related>>,
pub taxonomy: Option<String>,
pub status: Option<Status>,
pub description: Option<String>,
pub license: Option<String>,
pub author: Option<String>,
pub references: Option<Vec<String>>,
pub date: Option<String>,
pub modified: Option<String>,
pub logsource: Logsource,
pub detection: Detection,
pub fields: Option<Vec<String>>,
pub falsepositives: Option<Vec<String>>,
pub level: Option<Level>,
pub tags: Option<Vec<String>>,
pub custom_fields: HashMap<String, Value>,
}Expand description
The Rule struct implements the Sigma rule specification 2.0.0 released 08.08.2024.
The full specification can be found at: https://github.com/SigmaHQ/sigma-specification/blob/main/specification/sigma-rules-specification.md
Fields§
§title: StringA brief title for the rule that should contain what the rule is supposed to detect (max. 256 characters)
id: Option<String>Sigma rules should be identified by a globally unique identifier in the id attribute. For this purpose randomly generated UUIDs (version 4) is used.
name: Option<String>name is a unique human-readable name that can be used instead of the id as a reference in correlation rules. The goal is to improve the readability of correlation rules.
To be able to keep track of the relationships between detections, Sigma rules may also contain references to related rule identifiers in the related attribute.
taxonomy: Option<String>§status: Option<Status>§description: Option<String>A short and accurate description of the rule and the malicious or suspicious activity that can be detected (max. 65,535 characters)
license: Option<String>License of the rule according to https://spdx.dev/learn/handling-license-info/ format.
Creator of the rule. (can be a name, nickname, twitter handle…etc) If there is more than one, they are separated by a comma.
references: Option<Vec<String>>References to the sources that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets.
date: Option<String>Creation date of the rule. Use the ISO 8601 date with separator format : YYYY-MM-DD
modified: Option<String>Last modification date of the rule. Use the ISO 8601 date with separator format : YYYY-MM-DD
logsource: LogsourceThis section describes the log data on which the detection is meant to be applied to. It describes the log source, the platform, the application and the type that is required in the detection.
detection: DetectionA set of search-identifiers that represent properties of searches on log data.
fields: Option<Vec<String>>A list of log fields that could be interesting for further analysis of the event and should be displayed to the analyst.
falsepositives: Option<Vec<String>>A list of known false positives that may occur.
level: Option<Level>The level field contains one of five string values. It describes the criticality of a triggered rule. While low and medium level events have an informative character, events with high and critical level should lead to immediate reviews by security analysts.
Tags should generally follow this syntax:
- Character set: lower-case letters, numerals, underscores and hyphens
- no spaces
- Tags are namespaced, the dot is used as separator. e.g. attack.t1234 refers to technique 1234 in the namespace attack; Namespaces may also be nested
- Keep tags short, e.g. numeric identifiers instead of long sentences
custom_fields: HashMap<String, Value>Capture any additional fields
Implementations§
Source§impl Rule
impl Rule
Sourcepub fn is_match(&self, event: &Event) -> bool
pub fn is_match(&self, event: &Event) -> bool
Check if the event matches the rule
§Example
use sigma_rust::{rule_from_yaml, Event, Rule};
let rule_yaml = r#"
title: Some test title
logsource:
category: test
detection:
selection_1:
field_name|contains:
- this
- that
selection_2:
null_field: null
condition: all of selection_*
"#;
let rule = rule_from_yaml(rule_yaml).unwrap();
let mut event = Event::from([("field_name", "this")]);
event.insert("null_field", None);
assert!(rule.is_match(&event));