RULE

Understanding how to write a [RULE] section in a Parsing Rules file and the syntax to use.
Rules are very similar to functions in modern programming languages. They are essentially pieces of XQL code, tagged with a name - alias, for easier code re-use and avoiding code duplications. A
RULE
is an add-on to the Parsing Rule syntax and is optional to configure.
RULE
syntax is derived from XQL with a few modifications as explained in the Parsing Rules syntax.
For more information on the XQL syntax, see Cortex XDR XQL Language Reference.
A few more points to keep in mind when writing
RULE
sections.
  • Rules are defined by
    [rule:ruleName]
    as depicted in the following example.
    [rule:filter_alerts] filter raw_log not contains "alert";
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • Rules are invoked by using a
    call
    keyword as depicted in the following example.
    [rule:filter_alerts] filter raw_log not contains "alert"; [rule:use_another_rule] filter severity="LOW" | call filter_alerts | fields - raw_log;
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    This is equivalent to writing.
    [rule:use_another_rule] filter severity="LOW" | filter raw_log not contains "alert" | fields - raw_log;
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • Rule names are not case sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase). For example,
    MY_RULE=My_Rule=my_rule
    .
  • Rule names must be unique across the entire file. This means you cannot have the same rule name defined more than once in the same file.
  • Since section order is unimportant, you do not have to declare a
    rule
    before using it. You can have the
    rule
    definition section written below other sections that uses this rule.
  • You can add a single tag
    or list of tags
    to the ingested data as part of the ingestion flow that you can easily query in XQL Search. You can add tags using both the
    INGEST
    and
    RULE
    sections. For example,
    Adding a single tag.
    [INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule;
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    [RULE:new_tag_rule] tag add "test";
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    Adding a list of tags.
    [INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule;
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    [RULE:new_tag_rule] tag add "test1", "test2", "test3";
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    You can also add tags using only the
    INGEST
    section. For more information, see INGEST.

Recommended For You