The 'matcher' command controls the intel matching functionality of vast, i.e., the ability to automatically match some part of the incoming data against set of threat indicators.
vast matcher ioc-remove subcommand is used to remove
an ioc from a running matcher.
The command takes three mandatory positional arguments:
The ioc-type should match the one that was used when adding the ioc.
matcher stop subcommands stops a running matcher.
The name of a running matcher must be supplied as the first positional argument.## matcher start
matcher start subcommand starts a new matcher and
attaches to its result stream, printing one line to the
standard output every time a new sighting is confirmed.
This uses default values for all options: It loads all records of
intel.indicator from the archive and uses them to match all
record fields with the
#ioc attribute on all data that is imported
to VAST. A unique name for the matcher is generated automatically.
This creates a matcher named "matcher-feodo" that loads all indicators that originated from the "Feodo Tracker" (they must be imported with a separate import command) and uses them to match against all source and destination IP fields in zeek connnection records.