article Cortex Customer Success Webinar Series Part 1: Getting Started with Parsing Rules in Cortex XDR Videos https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388 <DIV class="lia-message-template-content-zone"> <H2>Webinar Series Part 1: Getting Started with Parsing Rules</H2> <P>Watch part 1 of the Customer Success webinar series Parsing &amp; Correlation Rules to learn the fundamentals of Parsing Rules.<I> </I>Scroll down to review additional resources and the queries shared during the webinar.<BR /><EM>The Parsing Rules feature requires an XDR Pro license. </EM><BR /><BR />To watch the second part of the series, click here: <A href="https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-xdr-customer-success-webinar-series-part-2-correlation/ta-p/578690" target="_blank" rel="noopener">The Core of Detections</A></P> <P>Register for&nbsp;Part 3,&nbsp;&nbsp;<A href="https://paloaltonetworks.zoom.us/webinar/register/7117013724228/WN_KZSf3LtORnW_sFeOf6VmPA#/registration" target="_blank" rel="noopener">Improving Application Security with Correlations</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><div class="lia-vid-container video-embed-center"><div id="lia-vid-6346009977112w960h540r447" class="lia-video-brightcove-player-container"><video-js data-video-id="6346009977112" data-account="6058004142001" data-player="default" data-embed="default" class="vjs-fluid" controls="" data-application-id="" style="width: 100%; height: 100%;"></video-js></div><script src="https://players.brightcove.net/6058004142001/default_default/index.min.js"></script><script>(function() { var wrapper = document.getElementById('lia-vid-6346009977112w960h540r447'); var videoEl = wrapper ? wrapper.querySelector('video-js') : null; if (videoEl) { if (window.videojs) { window.videojs(videoEl).ready(function() { this.on('loadedmetadata', function() { this.el().querySelectorAll('.vjs-load-progress div[data-start]').forEach(function(bar) { bar.setAttribute('role', 'presentation'); bar.setAttribute('aria-hidden', 'true'); }); }); }); } }})();</script><a class="video-embed-link" href="https://live.paloaltonetworks.com/t5/video/gallerypage/video-id/6346009977112">(view in My Videos)</a></div></P> <P>&nbsp;</P> <P><STRONG><FONT color="#FF6600">Demo XQL query:</FONT></STRONG></P> <PRE class="c-mrkdwn__pre" data-stringify-type="pre">dataset = zeedemo_winlogs_raw | filter log_level = "error" | fields event_data , log_level , *name* , channel , event_action , event_id , message | alter Error_Description = json_extract_scalar(event_data , "$.Error Description") | alter Reporting_source = json_extract_scalar(event_data , "$.Update Source") | alter Error_Code = json_extract_scalar(event_data , "$.Error Code") | filter Error_Code != null</PRE> <P><FONT color="#FF6600"><STRONG>Demo Parsing Rule:</STRONG></FONT></P> <PRE class="c-mrkdwn__pre" data-stringify-type="pre">//This is a demo for basic parsing rule build up [INGEST:vendor="zeedemo", product="winlogs", target_dataset="webinar_winlogerrors_parsed", no_hit = drop] filter log_level = "error" | fields event_data , log_level , *name* , channel , event_action , event_id , message | alter Error_Description = json_extract_scalar(event_data , "$.Error Description"), Reporting_source = json_extract_scalar(event_data , "$.Update Source"), Error_Code = json_extract_scalar(event_data , "$.Error Code") | drop Error_Code = null;</PRE> <P>&nbsp;</P> <P><FONT color="#FF6600"><STRONG>Additional resources:</STRONG></FONT></P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview" target="_blank" rel="noopener"><SPAN>Architectural Overview</SPAN></A></P> <P><A href="https://www.youtube.com/watch?v=q9ShTvDzY78&amp;list=PLD6FJ8WNiIqXct0oWOxUfr0gDGOQLECGS&amp;index=3" target="_blank" rel="noopener">How-To Video: Custom Parsing Rule</A></P> <P><A href="https://regex-generator.olafneumann.org/" target="_blank" rel="noopener"><SPAN>Regex Generators - XDR supports regex version PCRE2</SPAN></A></P> <P><SPAN><A href="https://regex101.com/" target="_blank" rel="noopener">https://regex101.com/</A></SPAN></P> <P><A href="http://%20https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Parsing-Rules" target="_blank" rel="noopener"><SPAN>Cortex XDR Pro Admin Guide: Parsing Rules</SPAN></A></P> <P><A href="https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-powershell.html#winlogbeat-module-powershell" target="_blank" rel="noopener"><SPAN>Winlogbeat modules </SPAN></A></P> <P>&nbsp;</P> <P><SPAN>Have a question?&nbsp; Post it on our&nbsp;</SPAN><FONT color="#FF6600"><STRONG><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/bd-p/Analytics_Discussions" target="_self">Discussions forum</A></STRONG></FONT></P> <P><FONT color="#FF6600"><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;</FONT></P> </DIV> Wed, 28 Feb 2024 22:53:05 GMT rtsedaka 2024-02-28T22:53:05Z Cortex Customer Success Webinar Series Part 1: Getting Started with Parsing Rules https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388 <P>Don't miss out on Part 1 of the Paring &amp; Correlation Rules series: Getting Started with Parsing Rules! Click to review the webinar and the additional resources linked in this article.&nbsp;<BR /><EM>Parsing &amp; Correlation Rules features require an XDR Pro product license&nbsp;</EM></P> Wed, 28 Feb 2024 22:53:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-videos/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388 rtsedaka 2024-02-28T22:53:05Z