Error Reporting in Parsing Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex

Error Reporting in Parsing Rules - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product

Cortex XDR

License

Pro

Creation date

2023-03-23

Last date published

2023-03-23

Note

Parsing Rules requires a Cortex XDR Pro per TB license.

To help you easily identify and resolve Parsing Rules errors, Cortex XDR includes error reporting in Parsing Rules for these scenarios.

Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex.
Unable to apply a rule to the data.
A mismatch between the expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV.

All errors are saved to a dataset called parsing_rules_errors, where the dataset type is system_audit. The following table describes the fields that are available when running a query in XQL Search for this dataset in alphabetical order.

Note

Some errors can only be found after the applicable logs are collected in Cortex XDR.
New errors generate a notification called Parsing Rules Error, which you can view when selecting the Notification center.

Field	Description
`CREATED_AT`	Displays a timestamp for when the rule, which generated the error, was created.
`END_LINE`	Displays the last line of the particular parsing error that you’re looking at.
`ERROR_CATEGORY`	Displays the category of the error.
`ERROR_MESSAGE`	Displays the error message.
`_ID`	Displays the Rule ID that triggered this error.
`INGEST_NULL`	Displays a boolean value of either TRUE or FALSE to indicate whether null value fields are configured to be ingested or not. By default, null fields are ingested.
`NO_HIT`	Displays the no-match strategy configured to use for the rule group that the rule triggering this error belongs to. Possible values are the following. `drop`— In a scenario where none of the rules in the group generates output for a given log record, that record is discarded. `keep`—In a scenario where none of the rules in the group generates output for a given log record, that record is kept in the `_raw_log` field. This record is inserted into the group's dataset once, but every column holds `NULL` except for `_raw_log` which holds the original JSON log record.
`_PRODUCT`	Displays the defined PRODUCT configured for the rule that triggered this error.
`START_LINE`	Displays the first line of the particular parsing error that you’re looking at.
`TARGET_DATASET`	Displays the Target dataset configured for the rue that triggered this error.
`_TIME`	Displays the timestamp when the error was generated.
`_VENDOR`	Displays the defined VENDOR configured for the rule that triggered this error.
`XQL_TEXT`	Displays the complete query for running the rule in XQL Search that generated this error.

The Parsing Rules editor includes a separate section called List of Errors at the bottom page with the following capabilities.

Note

The List of Errors section is only displayed when there are any errors to list.

Lists the details of the last 20 errors from the total number of errors found.
Note
Cortex XDR only updates this list with new errors when the list is closed.
Selecting a particular error highlights the relevant lines in the User Defined or Default Rules views and displays these lines on the screen, so you can easily review the error and troubleshoot the problem.
Link to Open All in XQL Search to view additional information about these errors in XQL Search from the last 24 hours. The entire list of errors in the parsing_rules_errors dataset is displayed, so you can easily troubleshoot. You can edit the query opened in XQL Search to search for a designated time of your choosing, for example, if you want to view the results for the last week as opposed to 24 hours.XQL Search
When you Save changes in the Parsing Rules editor, all of the errors listed are removed from the page.