Troubleshooting Parsing Rules Errors - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-02
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Learn how to easily identify and resolve parsing errors.

Note

Parsing Rules requires a Cortex XDR Pro per GB license and a user with Cortex Account Administrator or Instance Administrator permissions.

To help you easily identify and resolve parsing errors in Cortex XDR, all parsing errors are saved to a separate dataset called parsing_rules_errors. This dataset displays important information about each error, including the RAW_LOG, log metadata, Parsing Rule metadata, and error description, which you need to effectively troubleshoot the problem. In addition, a Parsing Rules Error notification is sent to the Notification Center whenever a new parsing error is added to the dataset.

Types of Parsing Errors

There are different types of parsing errors.

  • Compilation Errors: Unable to compile a rule for different reasons including invalid function parameters, such as invalid regex.

  • Data Format Errors: A mismatch between the expected data type, such as CEF, LEEF, or JSON with the actual data, such as TEXT or CSV.

  • Runtime Errors: Unable to apply a rule to the data, such as an attempt to add a String to a Number.

Parsing Errors Dataset

All parsing errors and Cortex Data Model (XDM) errors are saved to a dataset called parsing_rules_errors. The following table describes the fields that are available when running a query in XQL Search for the parsing_rules_errors dataset in alphabetical order.

Note

Some errors can only be found after the applicable logs are collected in Cortex XDR.