import { SigmaDate } from "./date";
export type Status = "stable" | "test" | "experimental" | "deprecated" | "unsupported";
export type Level = "informational" | "low" | "medium" | "high" | "critical";
export type RelationType = "derived" | "obsoletes" | "merged" | "renamed" | "similar";
export interface Relation {
    id: string;
    type: RelationType;
}
export interface LogSource {
    category?: string;
    product?: string;
    service?: string;
    definition?: string;
}
export interface Rule {
    title: string;
    id?: string;
    related?: Relation[];
    status?: Status;
    description?: string;
    references?: string[];
    author?: string;
    date?: SigmaDate;
    modified?: SigmaDate;
    tags?: string[];
    level?: Level;
    logsource?: LogSource;
    detection: Detection;
    fields?: string[];
    falsepositives?: string[];
    extra?: Record<string, any>;
}
export interface Detection {
    expr: Expr;
}
export interface LogEntry {
    message: string;
    fields: Record<string, string>;
}
export interface DetectionInput {
    product?: string;
    service?: string;
    category?: string;
    logEntry: LogEntry;
}
export type DetectionQuery = Record<string, string>;
export interface MatchOptions {
    placeholders?: Record<string, string[]>;
}
export interface Expr {
    exprMatches(entry: LogEntry, opts?: MatchOptions): boolean;
}