Return the specific matching event values that triggered each condition

[bradleyjkemp]

While the Result type tells you which conditions matched in your rule, it doesn't help you know why they matched.

So e.g. for phish.report/IOK rules, you can have a long list of requests made by the page and so a condition:

dodgyRequest:
    request|endswith: 5844ad4.js

Doesn't help you identify the specific bad request.

Proposal to make a breaking API change to extend the result to include the matching value e.g.

type Result struct {
	Match            bool            // whether this event matches the Sigma rule
	SearchResults    map[string]bool // For each Search, whether it matched the event
	ConditionResults []bool          // For each Condition, whether it matched the event
}

type SearchResult struct {
	Matched bool
	MatchedValues map[string]interface{} // A map from field name to event value
}

Callers of the library can then present useful information to their users