Create Parsing Rules

Cortex® XDR™ includes an editor for creating 3rd party Parsing Rules.
Parsing Rules requires a Cortex XDR Pro per TB license.
Cortex® XDR™ includes an editor for creating 3rd party Parsing Rules, which enables you to:
  • Remove unused data that is not required for analytics, hunting, or regulation.
  • Reduce your data storage costs.
  • Pre-process all incoming data for complex rule performance.
  • Add tags to the ingested data as part of the ingestion flow.
  • Easily identify and resolve Parsing Rules errors with error reporting.
Parsing Rules contain the following built-in characteristics.
  • Parsing Rules are bound to a specific vendor and product.
  • Parsing Rules take raw log input, perform an arbitrary number of transitions and modifications to the data using XQL, and return zero, one, or more rows that are eventually inserted into the Data Lake.
  • Parsing Rules can be grouped together by a no-match policy. This means, if all the rules of a group did not produce an output for a specific log record, a no-match policy defines what to do, such as drop the log or keep the log in some default format.
  • Upon ingestion, all fields are retained even fields with a null value. You can also use the Cortex XDR XQL query language to query parsing rules for null values.
Cortex XDR provides a number of default Parsing Rules that you can easily override as required using the Cortex XDR Query Language and additional custom syntax that is specific to creating Parsing Rules. Before you create your own Parsing Rules and override the defaults, we recommend that you review the following.
To create Parsing Rules.
  1. In Cortex XDR, select
    Settings ( )
    Data Management
    Parsing Rules
  2. Select the Parsing Rules editor view.
    You can either leave the
    User Defined Rules
    default view open and write your Parsing Rules directly in the editor or select
    view to see the Parsing Rules editor as well as the default rules. For more information, see Parsing Rules Editor Views.
  3. Write your Parsing Rules using XQL syntax and the syntax specific for Parsing Rules. For more information, see Parsing Rules File Structure and Syntax.
  4. (
    ) Override the default Parsing Rules raw dataset.
  5. Save
    your changes.
    are saved successfully.

Recommended For You