usiem/components/
use_case.rs

1use super::common::UserRole;
2use serde::ser::{SerializeStruct, Serializer};
3use serde::Serialize;
4use std::fmt;
5
6#[derive(Clone)]
7pub struct SiemUseCase {
8    /// Name of the Use Case
9    pub name: &'static str,
10    /// Description of the Use Case and what is intended
11    pub description: &'static str,
12    /// Abstraction of the logic involved
13    pub case_logic: &'static str,
14    /// What cannot detect this use case
15    pub limitations: &'static str,
16    /// Device requirements: Product, Service, Category => AND conditioned
17    pub requirements: (
18        Option<&'static str>,
19        Option<&'static str>,
20        Option<&'static str>,
21    ),
22    /// Rule for detecting this Use Case. Only the name
23    pub rule: &'static str,
24    /// Steps to perform if an incident ocurrs
25    pub actions: Vec<SiemPlaybookStep>,
26}
27
28impl fmt::Debug for SiemUseCase {
29    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
30        f.debug_struct("Point")
31            .field("name", &self.name)
32            .field("description", &self.description)
33            .finish()
34    }
35}
36impl Serialize for SiemUseCase {
37    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
38    where
39        S: Serializer,
40    {
41        let mut state = serializer.serialize_struct("SiemAutomatedStep", 7)?;
42        state.serialize_field("name", &self.name)?;
43        state.serialize_field("description", &self.description)?;
44        state.serialize_field("case_logic", &self.case_logic)?;
45        state.serialize_field("limitations", &self.limitations)?;
46        state.serialize_field("rule", &self.rule)?;
47        state.serialize_field("actions", &self.actions)?;
48        state.serialize_field("requirements", &self.requirements)?;
49        state.end()
50    }
51}
52
53#[derive(Debug, Serialize, Clone)]
54pub enum SiemPlaybookStep {
55    /// Manual action to be performed by an analyst: Name and description
56    Manual(&'static str, &'static str),
57    /// Automated action if the analyst wants to: FilterIP, RemediateEmail...
58    Automated(SiemAutomatedStep),
59}
60
61#[derive(Clone)]
62pub struct SiemAutomatedStep {
63    /// Minimum role to execute this Step
64    pub min_role: UserRole,
65    /// Action to be executed, The String param passed to the Task is the `aggr_key` of the alert generated by the rule
66    pub action: &'static str,
67    /// Name of the step
68    pub name: &'static str,
69    /// Description of the step
70    pub description: &'static str,
71}
72
73impl Serialize for SiemAutomatedStep {
74    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
75    where
76        S: Serializer,
77    {
78        let mut state = serializer.serialize_struct("SiemAutomatedStep", 3)?;
79        state.serialize_field("min_role", &self.min_role)?;
80        state.serialize_field("name", &self.name)?;
81        state.serialize_field("description", &self.description)?;
82        state.end()
83    }
84}
85
86impl fmt::Debug for SiemAutomatedStep {
87    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
88        f.debug_struct("Point")
89            .field("name", &self.name)
90            .field("description", &self.description)
91            .finish()
92    }
93}