Parsing Rules - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

Learn more about Cortex XDR Parsing Rules.

Note

Parsing Rules requires a Cortex XDR Pro per GB license and a user with Cortex Account Administrator or Instance Administrator permissions.

Cortex XDR includes an editor for creating 3rd party Parsing Rules, which enables you to:

  • Remove unused data that is not required for analytics, hunting, or regulation.

  • Reduce your data storage costs.

  • Pre-process all incoming data for complex rule performance.

  • Add tags to the ingested data as part of the ingestion flow.

  • Easily identify and resolve Parsing Rules errors so you can troubleshoot them quickly.

  • Test your Parsing Rules on actual logs and validate their outputs before implementation.

Parsing Rules contain the following built-in characteristics.

  • Parsing Rules are bound to a specific vendor and product.

  • Parsing Rules take raw log input, perform an arbitrary number of transitions and modifications to the data using Cortex Query Language (XQL), and return zero, one, or more rows that are eventually inserted into the Cortex XDR tenant.

  • Parsing Rules can be grouped together by a no-match policy. If all the rules of a group did not produce an output for a specific log record, a no-match policy defines what to do, such as drop the log or keep the log in some default format.

  • Upon ingestion, all fields are retained even fields with a null value. You can also use XQL to query parsing rules for null values.