02-01-2024 09:33 AM - edited 02-28-2024 02:53 PM
Watch part 1 of the Customer Success webinar series Parsing & Correlation Rules to learn the fundamentals of Parsing Rules. Scroll down to review additional resources and the queries shared during the webinar.
The Parsing Rules feature requires an XDR Pro license.
To watch the second part of the series, click here: The Core of Detections
Register for Part 3, Improving Application Security with Correlations
Demo XQL query:
dataset = zeedemo_winlogs_raw | filter log_level = "error" | fields event_data , log_level , *name* , channel , event_action , event_id , message | alter Error_Description = json_extract_scalar(event_data , "$.Error Description") | alter Reporting_source = json_extract_scalar(event_data , "$.Update Source") | alter Error_Code = json_extract_scalar(event_data , "$.Error Code") | filter Error_Code != null
Demo Parsing Rule:
//This is a demo for basic parsing rule build up
[INGEST:vendor="zeedemo", product="winlogs", target_dataset="webinar_winlogerrors_parsed", no_hit = drop]
filter log_level = "error"
| fields event_data , log_level , *name* , channel , event_action , event_id , message
| alter Error_Description = json_extract_scalar(event_data , "$.Error Description"),
Reporting_source = json_extract_scalar(event_data , "$.Update Source"),
Error_Code = json_extract_scalar(event_data , "$.Error Code")
| drop Error_Code = null;
Additional resources:
How-To Video: Custom Parsing Rule
Regex Generators - XDR supports regex version PCRE2
Cortex XDR Pro Admin Guide: Parsing Rules
Have a question? Post it on our Discussions forum
