EXTEND - Learn how to write an [EXTEND] section in a Parsing Rules file, and the syntax to use. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-11
Category
Administrator Guide
Abstract

Learn how to write an [EXTEND] section in a Parsing Rules file, and the syntax to use.

Prerequisite

Parsing Rules requires View/Edit RBAC permissions for Data Management (under ConfigurationsData Management), which are the same permissions required for Dataset Management, Data Model Rules, and Event Forwarding.

An EXTEND section is used to chain your Parsing Rules logic to extend your existing default RULE sections, which are added by a Content Package you installed from Marketplace. While optional to configure, an EXTEND section runs immediately after the default RULE section that it extends, and enables data manipulation without overriding or interfering with the existing vendor Parsing Rules. For more information on the RULE section in Parsing Rules, see RULE.

EXTEND syntax is derived from Cortex Query Language (XQL) with a few modifications as explained in the Parsing Rules file structure and syntax section. You can have multiple XQL statements, separated by a semicolon (;). Each statement creates a different extension.

Note

For more information on the XQL syntax, see Get started with XQL.

A few more points to keep in mind when writing EXTEND sections:

  • You can only extend a default rule that is not overridden in the RULE sections.

  • A rule can only be extended once.

  • A CONST section that is defined in Default Rules cannot be used in the User Defined Rules when configuring an EXTEND section.

  • An EXTEND section must specify the full header of the rule it is extending. When you extend a rule that was added by a Content Package installed from Marketplace, the EXTEND section uses the format [EXTEND:<rule name> content_id = "<pack id>"], where the content_id comes from the Content Package that the extended rule belongs to.

    Example 46. 

    You can see here the EXTEND section in User Defined Rules uses the full header of the RULE it’s extending from Default Rules.

    Default Rules:

    [RULE:parse_ngfw_hipmatch content_id = "IronNet"]
alter _time = time_generated
| call extract_common_ngfw_fields
| call extract_hipmatch_only_fields
| call common_post_processing;

    User Defined Rules:

    [EXTEND:parse_ngfw_hipmatch content_id = "IronNet"]
alter source = json_extract_scalar(source, "$.string")
| filter __firewall_type = "firewall.hipmatch";

    When this rule is run, the default RULE section runs, and is immediately followed by the EXTEND section. This is equivalent to running one single RULE section as follows:

    [RULE:parse_ngfw_hipmatch content_id = "IronNet"]
alter _time = time_generated
| call extract_common_ngfw_fields
| call extract_hipmatch_only_fields
| call common_post_processing
| alter source = json_extract_scalar(source, "$.string")
| filter __firewall_type = "firewall.hipmatch";