Field Structure - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Learn more about the structure of the fields in the MODEL and RULE sections when creating Data Model Rules.

When creating Data Model Rules, each field used in the MODEL and RULE sections is constructed using dot notation using the following format.

xdm.<context>.[<compound>].<field>

Examples:

  • xdm.<context>.[<compound>].<field>

    xdm.source.host.device_id
  • xdm.<context>.<field>

    xdm.source.ipv4

Part

Description

<context>

This is a composition of fields (<field>), either simple or <compound>, that are grouped together to form a logically coherent unit.

<compound>

This is a set of simple fields that are grouped together to form a meaningful group. For example, subject and recipients are part of the <compound> field called email.

<field>

This is a field that represents a primitive data type, such as a string or number or an array, or an IP address.

Note

For more information on these data model fields, see Cortex XSIAM Data Model Schema.

Using ENUM fields

Note that this syntax is not mandatory, and you can map any STRING value, but we recommend its use for consistency across all model mapping.

Example:

[RULE: common_ngfw_modeling]
alter xdm.source.ipv4 = json_extract_scalar(actor, "$.client_ip")
| alter xdm.network.ip_protocol = if( 
    proto = 6, XDM_CONST.IP_PROTOCOL_TCP, 
    proto = 11, XDM_CONST.IP_PROTOCOL_UDP, 
    proto
);