Error Reporting in Parsing Rules

Cortex® XDR™ helps you easily identify and resolve Parsing Rules errors by including error reporting in Parsing Rules.
Parsing Rules requires a Cortex XDR Pro per TB license.
To help you easily identify and resolve Parsing Rules errors, Cortex® XDR™ includes error reporting in Parsing Rules for these scenarios.
  • Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex.
  • Unable to apply a rule to the data.
  • Mismatch between expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV.
All errors are saved to a dataset called
parsing_rules_errors
, where the dataset type is
system_audit
. The following table describes the fields that are available when running a query in XQL Search for this dataset in alphabetical order.
  • Some errors can only be found after the applicable logs are collected in Cortex XDR.
  • New errors generate a notification called
    Parsing Rules Error
    , which you can view when selecting the notification icon ( ).
Field
Description
CREATED_AT
Displays a timestamp for when the rule, which generated the error, was created.
END_LINE
Displays the last line of the particular parsing error that you’re looking at.
ERROR_CATEGORY
Displays the category of the error.
ERROR_MESSAGE
Displays the error message.
_ID
Displays the Rule ID that triggered this error.
INGEST_NULL
Displays a boolean value of either
Yes
or
No
to indicate whether null value fields are configured to be ingested or not.
NO_HIT
Displays the no-match strategy configured to use for the rule group that the rule triggering this error belongs to. Possible values are the following.
  • drop
    — In a scenario where none of the rules in the group generates output for a given log record, that record is discarded.
  • keep
    —In a scenario where none of the rules in the group generates output for a given log record, that record is kept in the
    _raw_log
    field. This record is inserted into the group's dataset once, but every column holds
    NULL
    except for
    _raw_log
    which holds the original JSON log record.
_PRODUCT
Displays the defined
PRODUCT
configured for the rule that triggered this error.
START_LINE
Displays the firs line of the particular parsing error that you’re looking at.
TARGET_DATASET
Displays the Target dataset configured for the rue that triggered this error.
_TIME
Displays the timestamp when the error was generated.
_VENDOR
Displays the defined
VENDOR
configured for the rule that triggered this error.
XQL_TEXT
Displays the complete query for running the rule in XQL Search that generated this error.
The Parsing Rules editor includes a separate section called
List of Errors
at the bottom page with the following capabilities.
  • Lists the details of the last 20 errors from the total number of errors found.
    Cortex XDR only updates this list with new errors when the list is closed.
  • Link to
    Open All in XQL Search
    to view additional information about these errors in XQL Search from the last 24 hours. The entire list of errors in the
    parsing_rules_errors
    dataset are displayed, so you can easily troubleshoot. You can edit the query opened in XQL Search to search for a designated time of your choosing, for example, if you want to view the results for the last week as opposed to 24 hours.
  • When you
    Save
    changes in the Parsing Rules editor, all of the errors listed are removed from the page.

Recommended For You