Data Model Rules file structure and syntax - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn about the Data Model Rules file structure and syntax.

Note

Only a user with Cortex Account Administrator or Instance Administrator permissions can access Data Model Rules.

The Data Model Rules file consists of multiple sections of the following two types, which also represent the custom syntax specific to Data Model Rules:

  • MODEL: This section is used to define the mapping between a single dataset and the data model.

  • (OPTIONAL) RULE: Rules are part of the Cortex Query Language (XQL) syntax, which are tagged with a name, and can be reused in the code in the MODEL sections, or in other RULE sections (recursively), by using [rule:ruleName].

The order of the sections is not significant.

The syntax used in the Data Model Rules file is derived from XQL, with a few modifications. This subset of XQL is called XQL for Data Modeling (XQLm).

Note

For more information on XQL syntax, see the XQL Language Reference Guide.

In the MODEL and RULE sections, the following modifications apply to the XQLm syntax:

  • Only the following XQL stages are permitted: alter and filter. An additional call stage is supported, which is used to invoke another rule.

    Note

    You cannot call a RULE section that exists in Default Rules from the User Defined Rules section.

  • No output stages are supported.

  • XDM_ALIAS cannot be used in rules. It is only supported in queries. For more information, see the search stage.

  • Every model definition in the Data Model Rules file must end with a semicolon (;).

  • Each XDM field used in the MODEL and RULE sections is constructed using dot notation using the following format:

    xdm.[<context>].[<compound>].<field>

    For more information, see Field structure.