Parsing Rules requires a Cortex XDR Pro per TB license and Account Administrator and Instance Administrator permissions.
The Parsing Rules file consists of multiple sections of these three types, which also represent the custom syntax specific to Parsing Rules.
INGEST—This section is used to define the resulting dataset.
COLLECT—(Optional) This section defines a rule that enables data reduction and data manipulation at the Broker VM to help avoid sending unnecessary data to the Cortex XDR server and reduce traffic, storage, and computing costs. In addition, the
COLLECTsection is used to manipulate, alter, and enrich the data before it’s passed to the Cortex XDR server. While this rule is optional to configure, once added this rule runs before the
CONST—(Optional) This section is used to define strings and numbers that can be reused multiple times within Cortex Query Language (XQL) statements in other
INGESTsections by using
RULE—(Optional) Rules are part of the XQL syntax, which are tagged with a name, and can be reused in the code in the
INGESTsections by using
The order of the sections is unimportant. The data of each section type gets grouped together during the parsing stage. Before any action takes place all
INGEST objects are grouped together and collected to the same list.
The syntax used in the Parsing Rules file is derived from XQL, but with a few modifications. This subset of XQL is called XQL for Parsing (XQLp).
For more information on the XQL syntax, see Cortex XQL Language Reference.
RULE syntax is derived from XQL, but with the following modifications for XQLp.
A statement never starts with a dataset or preset selection. The query's data source is meaningless. It is transparent to the user where the raw logs are coming from, fully handled by the system.
Only the following XQL stages are permitted: alter, fields, filter, and join. In addition, a new
callstage is supported, which is used to invoke another rule.
The join stage is only supported in
RULEsections and is not supported in a
Only the following XQL functions are permitted in all sections: parse timestamp and parse epoch.
outputstages are supported.
Ruleobject can only contain a single statement.
join innerquery is restricted to using a lookup as a data source and is only supported in XQLp stages.
There is no default lookup, so all
join innerqueries must start with
dataset=<lookup> | ....
$MY_CONST) is supported.
INcondition can only take a sequence list, such as
device_name in (“device1”, “device2”, “device3”)and not another XQL or XQLp
Comments in C programming language can be used anywhere throughout the Parsing Rules file.
// line comment /* inner comment */
Every statement in the Parsing Rules file must end with a semicolon (