Understanding how to write a [RULE] section in a Parsing Rules file and the syntax to use.
Rules are very similar to functions in modern programming languages. They are essentially pieces of XQL code, tagged with a name - alias, for easier code re-use and avoiding code duplications. A
RULEis an add-on to the Parsing Rule syntax and is optional to configure.
RULEsyntax is derived from XQL with a few modifications as explained in the Parsing Rules syntax.
A few more points to keep in mind when writing
- Rules are defined by[rule:ruleName]as depicted in the following example.[rule:filter_alerts] filter raw_log not contains "alert";Rules are invoked by using acallkeyword as depicted in the following example.[rule:filter_alerts] filter raw_log not contains "alert"; [rule:use_another_rule] filter severity="LOW" | call filter_alerts | fields - raw_log;This is equivalent to writing.[rule:use_another_rule] filter severity="LOW" | filter raw_log not contains "alert" | fields - raw_log;Rule names are not case sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase). For example,MY_RULE=My_Rule=my_rule.Rule names must be unique across the entire file. This means you cannot have the same rule name defined more than once in the same file.Since section order is unimportant, you do not have to declare arulebefore using it. You can have theruledefinition section written below other sections that uses this rule.You can add a single tagor list of tagsto the ingested data as part of the ingestion flow that you can easily query in XQL Search. You can add tags using both theINGESTandRULEsections. For example,Adding a single tag.[INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule;[RULE:new_tag_rule] tag add "test";Adding a list of tags.
Recommended For You
Recommended VideosRecommended videos not found.