RULE - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-05-06
Last date published
2024-07-17
Category
Administrator Guide
Abstract

Understanding how to write a [RULE] section in a Parsing Rules file and the syntax to use.

Rules are very similar to functions in modern programming languages. They are essentially pieces of Cortex Query Language (XQL) syntax, tagged with a name - alias, for easier code reuse and avoiding code duplications. A RULE is an add-on to the Parsing Rule syntax and is optional to configure.

RULE syntax is derived from XQL with a few modifications as explained in the Parsing Rules syntax.

Note

For more information on the XQL syntax, see Cortex XQL Language Reference guide.

A few more points to keep in mind when writing RULE sections.

  • Rules are defined by [rule:ruleName] as depicted in the following example.

    [rule:filter_alerts]
    filter raw_log not contains "alert";
  • Rules are invoked by using a call keyword as depicted in the following example.

    [rule:filter_alerts]
    filter raw_log not contains "alert"; 
    [rule:use_another_rule]
    filter severity="LOW" | call filter_alerts | fields - raw_log;

    This is equivalent to writing.

    [rule:use_another_rule]
    filter severity="LOW" | filter raw_log not contains "alert" | fields - raw_log;
  • Rule names are not case-sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase). For example, MY_RULE=My_Rule=my_rule.

  • Rule names must be unique across the entire file. This means you cannot have the same rule name defined more than once in the same file.

  • Since section order is unimportant, you do not have to declare a rule before using it. You can have the rule definition section written below other sections that use this rule.

  • You can add a single tagor list of tags to the ingested data as part of the ingestion flow that you can easily query in XQL Search. You can add tags using both the INGEST and RULE sections. For example,XQL Search

    Adding a single tag.

    [INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop  , ingestnull = true ]
    alter xx = call new_tag_rule; 
    [RULE:new_tag_rule]
    tag add "test";

    Adding a list of tags.

    [INGEST:vendor="Check Point", product="Anti Malware", target_dataset="malware_test", no_hit= drop  , ingestnull = true ]
    alter xx = call new_tag_rule; 
    [RULE:new_tag_rule]
    tag add "test1", "test2", "test3";

    Note

    You can also add tags using only the INGEST section. For more information, see INGEST.