Field Structure - Administrator Guide - Cortex XSIAM - Cortex

Field Structure - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-25

Category

Administrator Guide

Abstract

Learn more about the structure of the fields in the MODEL and RULE sections when creating Data Model Rules.

When creating Data Model Rules, each field used in the MODEL and RULE sections is constructed using dot notation using the following format.

xdm.<context>.[<compound>].<field>

Examples:

xdm.<context>.[<compound>].<field>
```
xdm.source.host.device_id
```
xdm.<context>.<field>
```
xdm.source.ipv4
```

Part	Description
`<context>`	This is a composition of fields (`<field>`), either simple or `<compound>`, that are grouped together to form a logically coherent unit.
`<compound>`	This is a set of simple fields that are grouped together to form a meaningful group. For example, `subject` and `recipients` are part of the `<compound>` field called `email`.
`<field>`	This is a field that represents a primitive data type, such as a string or number or an array, or an IP address.

Note

For more information on these data model fields, see Cortex XSIAM Data Model Schema.

Using ENUM fields

Note that this syntax is not mandatory, and you can map any STRING value, but we recommend its use for consistency across all model mapping.

Example:

[RULE: common_ngfw_modeling]
alter xdm.source.ipv4 = json_extract_scalar(actor, "$.client_ip")
| alter xdm.network.ip_protocol = if( 
    proto = 6, XDM_CONST.IP_PROTOCOL_TCP, 
    proto = 11, XDM_CONST.IP_PROTOCOL_UDP, 
    proto
);