Matcher (matcher)
A matcher entity is a field that is parsed, for example, EventName, and is paired with the appropriate pattern and group for parsing.
Matchers have an associated order. If multiple matchers are specified for the same field name, the matchers are run in the order that is presented until a successful parse is found or a failure occurs.
Parameter | Description |
---|---|
|
The field to which you want the pattern to apply, for example, EventName, or SourceIp. You can use any of the field names that are listed in the List of valid matcher field names table. |
|
The pattern that you want to use when the field is parsed from the payload. This value must match (including case) the ID parameter of the pattern that is previously defined in a pattern ID parameter (Table 1). |
|
The order that you want this pattern to attempt among matchers that are assigned to the same field. If two matchers are assigned to the EventName field, the one with the lowest order is attempted first. |
|
Referenced in the regular expression inside
parenthesis ( ). These captures are indexed starting at one and processed
from left to right in the pattern. The For example, you can define a single pattern for a source IP address and port; where the SourceIp matcher can use a capture group of 1, and the SourcePort matcher can use a capture group of 2, but only one pattern needs to be defined. This
field has a dual purpose when combined with the To see an example, review the extension document example. |
|
Boolean When you set to This
parameter changes the meaning of the
In another example, a MAC address is separated by colons, but in QRadar®, MAC addresses are usually hyphen-separated. The syntax to parse and capture the individual portions is shown in the following example:
If no groups are specified in the capture-group when substitutions are enabled, a direct text replacement occurs. Default is false. |
|
An extra-data parameter that defines any extra field information or formatting that a matcher field can provide in the extension. The only field that currently uses this parameter is DeviceTime. For example, you might have a device that sends events by using a unique time stamp, but you want the event to be reformatted to a standard device time. Use the ext-data parameter included with the DeviceTime field to reformat the date and time stamp of the event. For more information, see the List of valid matcher field names. |
The following table lists valid matcher field names.
Field name | Description |
---|---|
EventName (Required) |
The event name to be retrieved from the QID to identify the event. Note: This parameter doesn't appear
as a field in the Log Activity tab.
|
EventCategory cat (LEEF) |
An event category for any event with a category not handled by an event-match-single entity or an event-match-multiple entity. Combined with EventName, EventCategory is used to
search for the event in the QID. The fields that are used for QIDmap
lookups require an override flag to be set when the devices are already
known to QRadar,
for example,
The force-qidmap-lookup-on-fixup="true" is
the flag override.Note: This parameter doesn't appear as a field
in the Log Activity tab.
|
SourceIp src (LEEF) |
The source IP address for the message. |
SourcePort srcPort (LEEF) |
The source port for the message. |
SourceIpPreNAT srcPreNAT (LEEF) |
The source IP address for the message before Network Address Translation (NAT) occurs. |
SourceIpPostNAT srcPostNAT (LEEF) |
The source IP address for the message after NAT occurs. |
SourceMAC srcMAC (LEEF) |
The source MAC address for the message. |
SourcePortPreNAT srcPreNATPort (LEEF) |
The source port for the message before NAT occurs. |
SourcePortPostNAT srcPostNATPort (LEEF) |
The source port for the message after NAT occurs. |
DestinationIp dst (LEEF) |
The destination IP address for the message. |
DestinationPort dstPort (LEEF) |
The destination port for the message. |
DestinationIpPreNAT dstPreNAT (LEEF) |
The destination IP address for the message before NAT occurs. |
DestinationIpPostNAT dstPostNAT (LEEF) |
The destination IP address for the message after NAT occurs. |
DestinationPortPreNAT dstPreNATPort (LEEF) |
The destination port for the message before NAT occurs. |
DestinationPortPostNAT dstPostNATPort (LEEF) |
The destination port for the message after NAT occurs. |
DestinationMAC dstMAC (LEEF) |
The destination MAC address for the message. |
DeviceTime devTime (LEEF) |
The time and format that is used by the device.
This date and time stamp represent the time that the event was sent,
according to the device. This parameter doesn't represent the time
that the event arrived. The The following list contains
examples of date and time stamp formats that you can use in the
For more information about the possible values for the data and time stamp format, see the Joda-Time web page (http://www.joda.org/joda-time/key_format.html). DeviceTime is the only event field that uses the ext-data optional parameter. |
Protocol proto (LEEF) |
The protocol for the message; for example, TCP, UDP, or ICMP. |
UserName |
The user name for the message. |
HostName identHostName (LEEF) |
The host name for the message. Typically, this field is associated with identity events. |
GroupName identGrpName (LEEF) |
The group name for the message. Typically, this field is associated with identity events. |
IdentityIp |
The identity IP address for the message. |
IdentityMac identMAC (LEEF) |
The identity MAC address for the message. |
IdentityIpv6 |
The IPv6 identity IP address for the message. |
NetBIOSName identNetBios (LEEF) |
The NetBIOS name for the message. Typically, this field is associated with identity events. |
ExtraIdentityData |
Any user-specific data for the message. Typically, this field is associated with identity events. |
SourceIpv6 |
The IPv6 source IP address for the message. |
DestinationIpv6 |
The IPv6 destination IP address for the message. |