Understanding how to write a [RULE] section in a Parsing Rules file and the syntax to use.
Rules are very similar to functions in modern programming languages. They are essentially pieces of Cortex Query Language (XQL) syntax, tagged with a name - alias, for easier code reuse and avoiding code duplications. A RULE
is an add-on to the Parsing Rule syntax and is optional to configure.
RULE
syntax is derived from XQL with a few modifications as explained in the Parsing Rules syntax.
Note
For more information on the XQL syntax, see Cortex XQL Language Reference guide.
A few more points to keep in mind when writing RULE
sections.
Rules are defined by
[rule:ruleName]
as depicted in the following example:Example 52.[rule:filter_alerts] filter raw_log not contains "alert";
Rules are invoked by using a
call
keyword as depicted in the following example:Example 53.[rule:filter_alerts] filter raw_log not contains "alert"; [rule:use_another_rule] filter severity="LOW" | call filter_alerts | fields - raw_log;
This is equivalent to writing:
[rule:use_another_rule] filter severity="LOW" | filter raw_log not contains "alert" | fields - raw_log;
Rule names are not case-sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase). For example,
MY_RULE=My_Rule=my_rule
.Rule names must be unique across the entire file. This means you cannot have the same rule name defined more than once in the same file.
Since section order is unimportant, you do not have to declare a
rule
before using it. You can have therule
definition section written below other sections that use this rule.You can add a single tag to the ingested data as part of the ingestion flow that you can easily query. You can add tags using both the
INGEST
andRULE
sections.Example 54.Adding a single tag:
[INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule;
[RULE:new_tag_rule] tag add "test";
Example 55.Adding a list of tags:
[INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop , ingestnull = true ] alter xx = call new_tag_rule;
[RULE:new_tag_rule] tag add "test1", "test2", "test3";
Note
You can also add tags using only the
INGEST
section. For more information, see INGEST.