Data Model Rules File Structure and Syntax - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about the Data Model Rules file structure and syntax.


Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.

File Structure

The Data Model Rules file consists of multiple sections of the following two types, which also represent the custom syntax specific to Data Model Rules.

  • MODEL—This section is used to define the mapping between a single dataset and the data model.

  • RULE—(Optional) Rules are part of the Cortex Query Language (XQL) syntax, which are tagged with a name, and can be reused in the code in the MODEL sections, or in other RULE sections (recursively), by using [rule:ruleName].

The order of the sections is not significant.


The syntax used in the Data Model Rules file is derived from XQL, with a few modifications. This subset of XQL is called XQL for Data Modeling (XQLm).


For more information on XQL syntax, see the XQL Language Reference Guide.

In the MODEL and RULE sections, the following modifications apply to the XQLm syntax.

  • Only the following XQL stages are permitted: ALTER and FILTER. An additional CALL stage is supported, which is used to invoke another rule.


    You cannot call a RULE section that exists in Default Rules from the User Defined Rules section.

  • No output stages are supported.

  • XDM_ALIAS cannot be used in rules. It is only supported in queries.

  • Every model definition in the Data Model Rules file must end with a semicolon (;).

  • Each XDM field used in the MODEL and RULE sections is constructed using dot notation using the following format.


    For more information, see Field Structure.