Learn how to write a MODEL section in a Data Model Rules file, and about the syntax to use in the file.
A MODEL section is used to define the mapping between a single dataset and the data model. The MODEL section is mandatory per dataset. A RULE section is optional, and is used to help organize the MODEL sections.
MODEL syntax is derived from Cortex Query Language (XQL), with a few modifications, as explained in Data Model Rules file structure and sSyntax. In addition, MODEL sections contain the following syntax add-ons:
You can have multiple MODEL sections.
MODEL sections take parameters, and not names as RULE sections use, where some are mandatory and others are optional.
[MODEL: dataset=<dataset>, content_id=<content_id>] <build the XQL logic>;
The parameter descriptions are explained in the following table:
Parameter | Description |
---|---|
dataset | The name of the dataset that contains the source data to apply the mapping on (mandatory). |
content_id | Identifier of the content as defined in the content package from the Marketplace. This parameter is relevant only for Default Rules and is not available in User Defined Rules (optional). |
[MODEL: dataset=panw_ngfw_traffic] filter appid = "dns" | alter dns_helper = json_extract(event, "$.dns") | alter xdm.network.dns.opcode = to_integer(json_extract_scalar(dns_helper, "$.opcode"), xdm.network.dns.is_truncated = to_boolean(json_extract_scalar(dns_helper, "$.is_truncated") );