Troubleshooting Data Model Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Learn more about how to easily identify and resolve Data Model Rules errors in Cortex XSIAM.

Note

Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.

To help you easily identify and resolve errors related to invalid Cortex Data Model (XDM) Rules, Cortex XSIAM provides the following:

  • When an XDM query runs and one of the Data Model Rules is invalid, the invalid rule is automatically disabled and excluded from the query, and warning is displayed.

  • When a Data Model Rule is disabled, a message is added to your Cortex XSIAM console Notification Center. For more information about the Data Model Rules notifications, see Data Model Rules Notifications.

  • The Data Model Rules editor displays an error icon and a message beside invalid Data Model Rules.

  • An audit log is added to the Management Audit Log whenever a Data Model Rule becomes invalid, and when an invalid Data Model Rule becomes valid.

    Tip

    To ensure you and your colleagues stay informed about Data Model Rules activity, you can also Configure Notification Forwarding to forward your Data Model Rules audit logs to an email distribution list or Syslog server. For more information about the Data Model Rules audit logs, see Monitor Data Model Rules Activity.

  • When a rule is fixed, it is automatically enabled. User defined Data Model Rules are updated manually in the User Defined Rules editor. While default Data Model Rules are updated as part of a Marketplace package update, or a background change, such as an XQL content change.

  • All Data Model Rules compilation errors are added to the parsing_rules_errors dataset.

Dataset for Data Model Rules Errors

All Data Model Rules compilation errors, such as syntax errors, missing arguments, and invalid regex, are saved to a dataset called parsing_rules_errors. This dataset also includes Parsing Rules errors. The following table describes the fields that are applicable to troubleshooting Data Model Rules errors when running a query in XQL Search for the parsing_rules_errors dataset in alphabetical order.

Note

Since this dataset also contains Parsing Rules errors, some of the fields are irrelevant for Data Model Rules and aren't included in the table.