Cortex XSIAM includes an editor for creating Data Model Rules.
Note
Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.
You can override rules or create your own rules using XQL and additional custom syntax that is specific to defining Data Model Rules. Once you edit a default data model mapping, you will no longer receive Marketplace updates.
Danger
Before you create your own Data Model Rules and override the defaults, we recommend that you review the following information:
In Cortex XSIAM, select → → → .
Select the Data Model editor view for writing your Data Model Rules.
You can select one of the following views:
User Defined Rules: Leave the default view open and write your Data Model Rules directly in the editor.
Both: Select this view to see the Data Model Rules editor as well as the default rules as you write your Data Model Rules.
Write your rules using XQL syntax and the syntax specific to Data Model Rules.
(Optional) Use XQL Search to test your Data Model Rules and review logs.
You can create queries on the data model. For more information, see Create XQL query.