Parsing Rules requires a Cortex XDR Pro per TB license.
To help you easily identify and resolve Parsing Rules errors, Cortex XDR includes error reporting in Parsing Rules for these scenarios.
Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex.
Unable to apply a rule to the data.
A mismatch between the expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV.
All errors are saved to a dataset called
parsing_rules_errors, where the dataset type is
system_audit. The following table describes the fields that are available when running a query in XQL Search for this dataset in alphabetical order.
Some errors can only be found after the applicable logs are collected in Cortex XDR.
New errors generate a notification called Parsing Rules Error, which you can view when selecting the Notification center.
Displays a timestamp for when the rule, which generated the error, was created.
Displays the last line of the particular parsing error that you’re looking at.
Displays the category of the error.
Displays the error message.
Displays the Rule ID that triggered this error.
Displays a boolean value of either TRUE or FALSE to indicate whether null value fields are configured to be ingested or not. By default, null fields are ingested.
Displays the no-match strategy configured to use for the rule group that the rule triggering this error belongs to. Possible values are the following.
Displays the defined PRODUCT configured for the rule that triggered this error.
Displays the first line of the particular parsing error that you’re looking at.
Displays the Target dataset configured for the rue that triggered this error.
Displays the timestamp when the error was generated.
Displays the defined VENDOR configured for the rule that triggered this error.
Displays the complete query for running the rule in XQL Search that generated this error.
The Parsing Rules editor includes a separate section called List of Errors at the bottom page with the following capabilities.
The List of Errors section is only displayed when there are any errors to list.
Lists the details of the last 20 errors from the total number of errors found.
Cortex XDR only updates this list with new errors when the list is closed.
Selecting a particular error highlights the relevant lines in the User Defined or Default Rules views and displays these lines on the screen, so you can easily review the error and troubleshoot the problem.
Link to Open All in XQL Search to view additional information about these errors in XQL Search from the last 24 hours. The entire list of errors in the
parsing_rules_errorsdataset is displayed, so you can easily troubleshoot. You can edit the query opened in XQL Search to search for a designated time of your choosing, for example, if you want to view the results for the last week as opposed to 24 hours.
When you Save changes in the Parsing Rules editor, all of the errors listed are removed from the page.