Create Data Model Rules - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Cortex XSIAM includes an editor for creating Data Model Rules.

Note

Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.

You can override rules or create your own rules using XQL and additional custom syntax that is specific to defining Data Model Rules. Once you edit a default data model mapping, you will no longer receive Marketplace updates.

Danger

Before you create your own Data Model Rules and override the defaults, we recommend that you review the following information:

How to create Data Model Rules
  1. In Cortex XSIAM, select SettingsConfigurationsData ManagementData Model Rules.

  2. Select the Data Model editor view for writing your Data Model Rules.

    You can select one of the following views:

    • User Defined Rules: Leave the default view open and write your Data Model Rules directly in the editor.

    • Both: Select this view to see the Data Model Rules editor as well as the default rules as you write your Data Model Rules.

  3. Write your rules using XQL syntax and the syntax specific to Data Model Rules.

  4. (Optional) Use XQL Search to test your Data Model Rules and review logs.

    You can create queries on the data model. For more information, see Create XQL query.