{"id":28416802,"url":"https://github.com/withsecurelabs/tau-engine","last_synced_at":"2025-06-25T04:31:10.618Z","repository":{"id":37592052,"uuid":"369764697","full_name":"WithSecureLabs/tau-engine","owner":"WithSecureLabs","description":"A document tagging library","archived":false,"fork":false,"pushed_at":"2025-03-27T21:02:48.000Z","size":170,"stargazers_count":30,"open_issues_count":0,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-06-01T11:22:48.314Z","etag":null,"topics":["countercept","detection-engine","rule-engine","rust","tau","yaml"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WithSecureLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-22T09:13:29.000Z","updated_at":"2025-04-19T16:25:34.000Z","dependencies_parsed_at":"2025-03-22T13:29:32.273Z","dependency_job_id":null,"html_url":"https://github.com/WithSecureLabs/tau-engine","commit_stats":null,"previous_names":["countercept/tau-engine"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/WithSecureLabs/tau-engine","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Ftau-engine","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Ftau-engine/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Ftau-engine/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Ftau-engine/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WithSecureLabs","download_url":"https://codeload.github.com/WithSecureLabs/tau-engine/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WithSecureLabs%2Ftau-engine/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":261805058,"owners_count":23212291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["countercept","detection-engine","rule-engine","rust","tau","yaml"],"created_at":"2025-06-04T00:43:48.648Z","updated_at":"2025-06-25T04:31:10.602Z","avatar_url":"https://github.com/WithSecureLabs.png","language":"Rust","readme":"# Tau Engine\n\n[![crates.io](https://img.shields.io/crates/v/tau-engine.svg)](https://crates.io/crates/tau-engine)\n[![Documentation](https://docs.rs/tau-engine/badge.svg)](https://docs.rs/tau-engine)\n\nThis crate provides a library that tags documents by running and matching rules over them.\n\n## Overview\n\nThe engine makes use of a Pratt parser and a tree solver in order to evaluate the detection logic of a rule against a document, if the outcome is true the document is considered tagged by that rule.\n\n## Rules\n\nA rule is used to tag a document and is made up of three parts:\n- `detection`: the logic used to evaluate a document.\n- `true positives`: example documents that must evaluate to true for the given detection.\n- `true negatives`: example documents that must evaluate to false for the given detection.\n\nThe detection block is made up of a condition, and identifiers. This allows for simple but\nexpressive rules, below is a brief summary:\n\n### Identifiers\n\nIdentifiers are used to help keep the condition concise and generally contain the core of the\nmatching logic. They consist of Key/Value pairs which allow for the extraction of data from the\ndocument and the evaluate of its value. It should be noted that mappings are treated as\nconjunctions, while sequences are treated as disjunctions.\n\nIdentifiers make use of the following matching logic:\n- `foobar`: an exact match of foobar\n- `foobar*`: starts with foobar\n- `*foobar`: ends with foobar\n- `*foobar*`: contains foobar\n- `?foobar`: regex foobar\n\nAny of the above can be made case insensitive with the `i` prefix, for example:\n- `ifoobar`\n- `ifoobar*`\n\nEscaping can be achieved with a combination of `'` and `\"`.\n\n### Condition\n\nThe condition is just a boolean expression and supports the following:\n- `and`: logical conjunction\n- `or`: logical disjunction\n- `==`: equality comparison\n- `\u003e`, `\u003e=`, `\u003c`, `\u003c=`: numeric comparisons\n- `not`: negate\n- `all(i)`: make sequences behave as conjunctions\n- `of(i, x)`: ensure a sequence has a minimum number of matches\n\n## Examples\n\nThis is an example of how the engine can tag a document against a provided rule:\n\n```toml\ntau-engine = \"1.0\"\n```\n\n```rust\nuse std::borrow::Cow;\n\nuse tau_engine::{Document, Rule, Value};\n\n// Define a document.\nstruct Foo {\n    foo: String,\n}\nimpl Document for Foo {\n    fn find(\u0026self, key: \u0026str) -\u003e Option\u003cValue\u003c'_\u003e\u003e {\n        match key {\n            \"foo\" =\u003e Some(Value::String(Cow::Borrowed(\u0026self.foo))),\n            _ =\u003e None,\n        }\n    }\n}\n\n// Write a rule.\nlet rule = r#\"\ndetection:\n  A:\n    foo: foobar\n  condition: A\ntrue_positives:\n- foo: foobar\ntrue_negatives:\n- foo: foo\n\"#;\n\n// Load and validate a rule.\nlet rule = Rule::load(rule).unwrap();\nassert_eq!(rule.validate().unwrap(), true);\n\n// Create a document.\nlet foo = Foo {\n    foo: \"foobar\".to_owned(),\n};\n\n// Evalute the document with the rule.\nassert_eq!(rule.matches(\u0026foo), true);\n```\n\nThis is an example of how the engine can be used to tag on JSON.\n\n```toml\ntau-engine = { version = \"1.0\", features = [\"json\"] }\n```\n\n```rust\nuse serde_json::json;\nuse tau_engine::{Document, Rule};\n\n// Write a rule.\nlet rule = r#\"\ndetection:\n  A:\n    foo: foobar\n  condition: A\ntrue_positives:\n- foo: foobar\ntrue_negatives:\n- foo: foo\n\"#;\n\n// Load and validate a rule.\nlet rule = Rule::load(rule).unwrap();\nassert_eq!(rule.validate().unwrap(), true);\n\n// Create a document.\nlet foo = json!({\n    \"foo\": \"foobar\",\n});\n\n// Evalute the document with the rule.\nassert_eq!(rule.matches(\u0026foo), true);\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Ftau-engine","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwithsecurelabs%2Ftau-engine","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwithsecurelabs%2Ftau-engine/lists"}