usiem/components/
common.rs

1use crate::prelude::types::LogString;
2
3use super::super::events::SiemLog;
4use super::alert::SiemAlert;
5use super::command::{CommandDefinition, SiemCommandCall, SiemCommandHeader, SiemCommandResponse};
6use super::dataset::{SiemDataset, SiemDatasetType};
7use super::metrics::SiemMetricDefinition;
8use super::task::{SiemTask, SiemTaskResult, TaskDefinition};
9use serde::{Deserialize, Serialize};
10
11#[derive(Serialize, Deserialize, Debug)]
12#[non_exhaustive]
13pub enum SiemMessage {
14    /// Execute a command in the component
15    Command(SiemCommandHeader, SiemCommandCall),
16    /// Response to a function call, first element is the ID of the Response
17    Response(SiemCommandHeader, SiemCommandResponse),
18    /// Process a log
19    Log(SiemLog),
20    /// Local logging system. First element is the ID of the component, to be able to route messages
21    Notification(Notification),
22    #[serde(skip)]
23    /// Dataset updated, this is the last state of it.
24    Dataset(SiemDataset),
25    /// Alerting
26    Alert(SiemAlert),
27    Task(SiemCommandHeader, SiemTask),
28    TaskResult(SiemCommandHeader, SiemTaskResult),
29}
30
31/// A internal event that occur in a SIEM component such as problems, errors or just information on current operations.
32#[derive(Serialize, Deserialize, Debug)]
33pub struct Notification {
34    pub timestamp: i64,
35    pub component: u64,
36    pub component_name: LogString,
37    pub log: LogString,
38    pub level: NotificationLevel,
39}
40
41#[derive(Serialize, Deserialize, Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
42#[repr(usize)]
43pub enum NotificationLevel {
44    Off,
45    Error,
46    Warn,
47    Info,
48    Debug,
49    Trace,
50}
51
52/// What is supported by a component: commands that accepts, datasets that uses, exported metrics...
53#[derive(Serialize, Debug, Clone)]
54pub struct SiemComponentCapabilities {
55    name: LogString,
56    description: LogString,
57    view: LogString,
58    datasets: Vec<DatasetDefinition>,
59    commands: Vec<CommandDefinition>,
60    tasks: Vec<TaskDefinition>,
61    metrics: Vec<SiemMetricDefinition>,
62}
63impl SiemComponentCapabilities {
64    pub fn new(
65        name: LogString,
66        description: LogString,
67        view: LogString,
68        datasets: Vec<DatasetDefinition>,
69        commands: Vec<CommandDefinition>,
70        tasks: Vec<TaskDefinition>,
71        metrics: Vec<SiemMetricDefinition>,
72    ) -> Self {
73        Self {
74            name,
75            description,
76            view,
77            datasets,
78            commands,
79            tasks,
80            metrics,
81        }
82    }
83    pub fn name(&self) -> &str {
84        &self.name
85    }
86    pub fn description(&self) -> &str {
87        &self.description
88    }
89    pub fn view(&self) -> &str {
90        &self.view
91    }
92    pub fn datasets(&self) -> &Vec<DatasetDefinition> {
93        &self.datasets
94    }
95    pub fn commands(&self) -> &Vec<CommandDefinition> {
96        &self.commands
97    }
98    pub fn tasks(&self) -> &Vec<TaskDefinition> {
99        &self.tasks
100    }
101    pub fn metrics(&self) -> &Vec<SiemMetricDefinition> {
102        &self.metrics
103    }
104}
105
106/// An easy to use role based system
107#[derive(Serialize, Deserialize, Debug, Clone, PartialEq)]
108pub enum UserRole {
109    /// Review the system (Read-Only configuration: rules, use-cases, Sources with parsers)
110    Compliance,
111    /// Do searchs (Read-Only configuration and information)
112    Analyst,
113    /// Launch postproceses (Read-only configuration and Read-Write information)
114    Engineer,
115    /// Configure the system (Full Read-Write access)
116    Administrator,
117}
118
119#[derive(Serialize, Deserialize, Debug, Clone, PartialEq)]
120pub struct DatasetDefinition {
121    name: SiemDatasetType,
122    description: LogString,
123    required_permission: UserRole,
124}
125impl DatasetDefinition {
126    pub fn new(
127        name: SiemDatasetType,
128        description: LogString,
129        required_permission: UserRole,
130    ) -> DatasetDefinition {
131        DatasetDefinition {
132            name,
133            description,
134            required_permission,
135        }
136    }
137    /// Name of the dataset
138    pub fn name(&self) -> &SiemDatasetType {
139        &self.name
140    }
141    /// Description of the dataset
142    pub fn description(&self) -> &LogString {
143        &self.description
144    }
145    /// Permission needed to access this dataset
146    pub fn required_permission(&self) -> &UserRole {
147        &self.required_permission
148    }
149}
150
151impl From<SiemCommandCall> for SiemMessage {
152    fn from(c: SiemCommandCall) -> Self {
153        SiemMessage::Command(SiemCommandHeader::default(), c)
154    }
155}
156
157impl From<SiemCommandResponse> for SiemMessage {
158    fn from(c: SiemCommandResponse) -> Self {
159        SiemMessage::Response(SiemCommandHeader::default(), c)
160    }
161}
162
163impl From<SiemLog> for SiemMessage {
164    fn from(c: SiemLog) -> Self {
165        SiemMessage::Log(c)
166    }
167}
168
169impl From<Notification> for SiemMessage {
170    fn from(c: Notification) -> Self {
171        SiemMessage::Notification(c)
172    }
173}
174
175impl From<SiemAlert> for SiemMessage {
176    fn from(c: SiemAlert) -> Self {
177        SiemMessage::Alert(c)
178    }
179}
180
181impl From<SiemDataset> for SiemMessage {
182    fn from(c: SiemDataset) -> Self {
183        SiemMessage::Dataset(c)
184    }
185}
186
187impl From<SiemTask> for SiemMessage {
188    fn from(c: SiemTask) -> Self {
189        SiemMessage::Task(SiemCommandHeader::default(), c)
190    }
191}
192
193impl From<SiemTaskResult> for SiemMessage {
194    fn from(c: SiemTaskResult) -> Self {
195        SiemMessage::TaskResult(SiemCommandHeader::default(), c)
196    }
197}
usiem/components/common.rs

usiem/components/
common.rs
