Release 2008.2
6
Single-Event Modifier
(
event-match-single
)
Single-event modifier (
event-match-single
) matches (and subsequently
modifies) exactly one type of event, as specified by the required, case-sensitive
EventName parameter. This entity allows mutation of successful events by
changing the device event category, severity, or the method for sending identity
events.
When events matching this event name are parsed, the device category, severity,
and identity properties are imposed upon the resulting event. An
event-match-single entity consists of three optional properties:
Protocol
Specify the protocol associated with the event; for
example, TCP, UDP, or ICMP.
If a protocol is not properly parsed out of a message, ports
that were parsed may not appear in STRM (it only displays
ports for port-based protocols).
UserName
Specify the user name associated with the event.
HostName
Specify the host name associated with the event. This field
is usually only associated with identity events.
GroupName
Specify the group name associated with the event. This
field is usually only associated with identity events.
NetBIOSName
Specify the NetBIOS name associated with the event. This
field is usually only associated with identity events.
Table 5
Single-Event Modifier Parameters
Parameter
Description
device-event-category
Specify a new category for searching in the QID for the
event. This is an optimizing parameter, since some
devices have the same category for all events.
severity
Specify the severity of the event. This parameter must
be an integer value between 1 and 10.
If a severity of less than 1 or greater than 10 is
specified, the system defaults to 5.
If not specified, the default is whatever is found in the
QID.
Table 4
Matcher Field Names (continued)
Field Name
Description
