Note
Parsing Rules requires a Cortex XDR Pro per GB license and a user with Cortex Account Administrator or Instance Administrator permissions.
Each vendor and product has its own raw dataset that uses the format <vendor>_<product>_raw. For example, for Palo Alto Networks Next-Generation Firewall, the dataset is called panw_ngfw_raw. This raw dataset by default keeps all raw logs, whether ingested or dropped for other datasets.
You can override the default raw dataset, by creating an INGEST section referring to that dataset. For example, the following syntax overrides the panw_ngfw_raw automatic Parsing Rule.
[ingest:vendor=panw, product=ngfw, dataset=panw_ngfw_raw] filter ... | alter ...;