matcher

Synopsis

parameters:
[-h | -? | --help] prints the help text
subcommands:
start start intel live matching
stop start intel live matching
ioc-remove live remove ioc of a matcher

Documentation

The 'matcher' command controls the intel matching functionality of vast, i.e., the ability to automatically match some part of the incoming data against set of threat indicators.

matcher ioc-remove

Synopsis

live remove ioc of a matcher
parameters:
[-h | -? | --help] prints the help text

Documentation

The vast matcher ioc-remove subcommand is used to remove an ioc from a running matcher.

The command takes three mandatory positional arguments:

vast matcher ioc-remove <matcher-name> <ioc> <ioc-type>

The ioc-type should match the one that was used when adding the ioc.

matcher stop

Synopsis

start intel live matching
parameters:
[-h | -? | --help] prints the help text
[--name=] <string> name of the matcher

Documentation

The matcher stop subcommands stops a running matcher.

The name of a running matcher must be supplied as the first positional argument.## matcher start

Synopsis

start intel live matching
parameters:
[-h | -? | --help] prints the help text
[--name=] <string> unique name for this matcher
[--ioc-type=] <string> ioc record type used by this matcher. (default: intel.indicator)
[--ioc-query=] <string> query to create initial ioc set. (default: none)
[--match-attributes=] <list of string> Matched attributes (default: #ioc)
[--match-fields=] <list of string> Matched record field names (default: none)

Documentation

The matcher start subcommand starts a new matcher and attaches to its result stream, printing one line to the standard output every time a new sighting is confirmed.

Examples

vast matcher start

This uses default values for all options: It loads all records of type intel.indicator from the archive and uses them to match all record fields with the #ioc attribute on all data that is imported to VAST. A unique name for the matcher is generated automatically.

vast matcher start \
--name="matcher-feodo"
--ioc-type=intel.indicator \
--ioc-query="intel.indicator.origin == \"Feodo Tracker\""
--match-field=zeek.conn_id.orig_h \
--match-field=zeek.conn_id.resp_h

This creates a matcher named "matcher-feodo" that loads all indicators that originated from the "Feodo Tracker" (they must be imported with a separate import command) and uses them to match against all source and destination IP fields in zeek connnection records.