Release 2008.2
Understanding Extension Document Elements
3
Match groups can have up to three different types of entities:
•
Matcher (
matcher
)
•
Single-Event Modifier (
event-match-single
)
•
Multi-Event Modifier (
event-match-multiple
)
Matcher (
matcher
)
A matcher entity is a field that is parsed (for example, EventName) and is paired
with the appropriate pattern and group for parsing. Matchers have an associated
order, so if multiple matchers are specified for the same field name, the matchers
are executed in the order presented until a successful parse is found or a failure
occurs.
device-type-
id-override
(Optional)
Specify a different device’s QID. Allows the particular match group
to search in the specified device for the event type. It must be a
valid device type ID, represented as an integer. A list of device type
IDs is presented in
Table 6
.
If not specified, this parameter defaults to the device type of the
device to which the extension is attached.
Table 3
Matcher Entity Parameters
Parameter
Description
field
(Required)
Specify the field to which you wish the pattern to apply,
for example, EventName, or SourceIp. See
Table 4
for a
list of valid field names.
pattern-id
(Required)
Specify the pattern you wish to use when parsing the
field out of the payload. This value must match (including
case) the ID parameter of the pattern previously defined
in a pattern ID parameter (
Table 1
).
order
(Required)
Specify the order that you wish this pattern to attempt
among matchers assigned to the same field. If there are
two matchers assigned to the EventName field, the one
with the lowest order is attempted first.
Table 2
Match Group Parameters (continued)
Parameter
Description
