Create Parsing Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-27
Last date published
2023-03-27

Note

Parsing Rules requires a Cortex XDR Pro per TB license, where only a user with Cortex XDR Account Administrator and Instance Administrator permissions can access this screen.

Cortex XDR includes an editor for creating 3rd party Parsing Rules, which enables you to:

  • Remove unused data that is not required for analytics, hunting, or regulation.

  • Reduce your data storage costs.

  • Pre-process all incoming data for complex rule performance.

  • Add tags to the ingested data as part of the ingestion flow.

  • Easily identify and resolve Parsing Rules errors with error reporting.

  • Test your Parsing Rules on actual logs and validate their outputs before implementation.

Parsing Rules contain the following built-in characteristics.

  • Parsing Rules are bound to a specific vendor and product.

  • Parsing Rules take raw log input, perform an arbitrary number of transitions and modifications to the data using Cortex Query Language (XQL), and return zero, one, or more rows that are eventually inserted into the Cortex XDR tenant.

  • Parsing Rules can be grouped together by a no-match policy. If all the rules of a group did not produce an output for a specific log record, a no-match policy defines what to do, such as drop the log or keep the log in some default format.

  • Upon ingestion, all fields are retained even fields with a null value. You can also use XQL to query parsing rules for null values.

Cortex XDR provides a number of default Parsing Rules that you can easily override as required using XQL and additional custom syntax that is specific to creating Parsing Rules. Before creating your own Parsing Rules, we recommend you review the following:

Parsing Rules Editor Views

Parsing Rules File Structure and Syntax

To create Parsing Rules:

  1. In Cortex XDR , select SettingsConfigurationsData ManagementParsing Rules.

  2. Select the Parsing Rules editor view for writing your Parsing Rules.

    You can select one of the following views.

    • User Defined Rules—Leave the default view open and write your Parsing Rules directly in the editor.

    • Both—Select this view to see the Parsing Rules editor as well as the default rules as you write your Parsing Rules.

    • Simulate—Select this view to test your Parsing Rules on actual logs and validate their outputs as you write your Parsing Rules.

  3. Write your Parsing Rules using XQL syntax and the syntax specific for Parsing Rules.

  4. (Optional) Test your Parsing Rules on actual logs and validate their outputs using the Simulate view.

    Note

    You need Cortex XDR administrator or Instance Administrator permissions to access the Simulate view and perform these tests.

    1. Select the Simulate view.

    2. For the User defined rules that you want to test, select the logs from the XQL Samples listed that you want to use to simulate the rule. For each Vendor and Product, up to 5 different samples are available to choose from.

    3. Simulate the rules based on the logs selected.

      You can also pivot (right-click) any of the logs that you’ve selected to Simulate the rules.

    4. Review the results in the Logs output table to determine if your User defined rules are fine or need further changes.

      The Logs output table displays the following columns per dataset at the bottom of the window.

      • Dataset—Displays the applicable dataset name and a line number associated with this dataset in the User defined rules section.

      • Vendor—The vendor associated with this dataset.

      • Product—The product associated with this dataset.

      • Output Logs—Displays the available output log. When there is no output log to display, the text Output logs is not available with the corresponding error message is displayed. When there is no output due to a missing rule in the User defined rules section for the logs selected, the text No output logs. You can change your parsing rules and try again is displayed.

      • Input Logs—Displays the relevant input log with a right-click pivot to Show diff between the Output Logs and Input Logs.

    5. (Optional) Modify your User defined rules and repeat steps #2-4 until you are satisfied with the results.

  5. (Optional) Override the default Parsing Rules raw dataset.

  6. Save your changes.

    Your PARSING RULES are saved successfully.