Identify

Identify tables are active tables used to annotate matching nodes with particular values. As with non-active Tables, they must be declared at module scope, not inside patterns.

They take the form:

identify name version
  [metadata
    metadata_entries
  end metadata;]
  tags tag1, tag2, ... ;
  node_kind matchattribute [ , . ] -> _set_attribute [ , ... ];
  key1 -> value1;
  key2 -> value2;
  ...
end identify;

The identify table is triggered whenever a node is created with suitable attributes for the match attributes. Like patterns, identify tables must declare one or more tags.

Upon triggering, it sets the set attributes on the triggering node. This is used for simply identifying processes, for example:

identify common_unix_commands 1.0
  tags example;
  DiscoveredProcess cmd -> simple_identity;
  unix_cmd "ls" -> "Unix directory listing command";
  unix_cmd "mv" -> "Unix move command";
  unix_cmd "cp" -> "Unix copy command";
  ...
end identify;

If more than one regular expression in an identify table matches a particular node, an arbitrary one will "win" and set the corresponding value.

Was this page helpful? Yes No Submitting... Thank you

Comments