Data Model Rules File Structure and Syntax - Administrator Guide - Cortex XSIAM - Cortex

Data Model Rules File Structure and Syntax - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-21

Note

Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.

File Structure

The Data Model Rules file consists of multiple sections of the following two types, which also represent the custom syntax specific to Data Model Rules.

MODEL—This section is used to define the mapping between a single dataset and the data model.
RULE—(Optional) Rules are part of the Cortex Query Language (XQL) syntax, which are tagged with a name, and can be reused in the code in the MODEL sections, or in other RULE sections (recursively), by using [rule:ruleName].

The order of the sections is not significant.

Syntax

The syntax used in the Data Model Rules file is derived from XQL, with a few modifications. This subset of XQL is called XQL for Data Modeling (XQLm).

Note

For more information on XQL syntax, see the XQL Language Reference Guide.

In the MODEL and RULE sections, the following modifications apply to the XQLm syntax.

Only the following XQL stages are permitted: ALTER and FILTER. An additional CALL stage is supported, which is used to invoke another rule.
Note
You cannot call a RULE section that exists in Default Rules from the User Defined Rules section.
No output stages are supported.
XDM_ALIAS cannot be used in rules. It is only supported in queries.
Every model definition in the Data Model Rules file must end with a semicolon (;).
Each XDM field used in the MODEL and RULE sections is constructed using dot notation using the following format.
```
xdm.[<context>].[<compound>].<field>
```
For more information, see Field Structure.