Cortex XDR includes an editor for creating 3rd party Parsing Rules.
Note
Parsing Rules requires a Cortex XDR Pro per GB license and a user with Cortex Account Administrator or Instance Administrator permissions.
Cortex XDR provides a number of default Parsing Rules that you can easily override as required using XQL and additional custom syntax that is specific to creating Parsing Rules. Before creating your own Parsing Rules, we recommend you review the following:
In Cortex XDR , select → → → .
Select the Parsing Rules editor view for writing your Parsing Rules.
You can select one of the following views.
User Defined: Leave the default view open and write your Parsing Rules directly in the editor.
Default Rules: Select this view to understand which parsing rules are provided by default with Cortex XDR in read-only mode.
Both: Select this view to see the Parsing Rules editor as well as the default rules as you write your Parsing Rules.
Simulate: Select this view to test your Parsing Rules on actual logs and validate their outputs as you write your Parsing Rules.
Write your Parsing Rules using XQL syntax and the syntax specific for Parsing Rules.
(Optional) Test your Parsing Rules on actual logs and validate their outputs using the Simulate view.
Note
You need Cortex XDR administrator or Instance Administrator permissions to access the Simulate view and perform these tests.
Select the Simulate view.
For the User defined rules that you want to test, select the logs from the XQL Samples listed that you want to use to simulate the rule. For each Vendor and Product, up to 5 different samples are available to choose from.
Simulate the rules based on the logs selected.
You can also pivot (right-click) any of the logs that you’ve selected to Simulate the rules.
Review the results in the Logs output table to determine if your User defined rules are fine or need further changes.
The Logs output table displays the following columns per dataset at the bottom of the window.
Dataset: Displays the applicable dataset name and a line number associated with this dataset in the User defined rules section.
Vendor: The vendor associated with this dataset.
Product: The product associated with this dataset.
Output Logs: Displays the available output log. When there is no output log to display, the text
Output logs is not available
with the corresponding error message is displayed. When there is no output due to a missing rule in the User defined rules section for the logs selected, the text No output logs. You can change your parsing rules and try again is displayed.Input Logs: Displays the relevant input log with a right-click pivot to Show diff between the Output Logs and Input Logs.
(Optional) Modify your User defined rules and repeat steps #2-4 until you are satisfied with the results.
(Optional) Override the default Parsing Rules raw dataset.
Save your changes.