Cortex Customer Success Webinar Series Part 1: Getting Started with Parsing Rules

Webinar Series Part 1: Getting Started with Parsing Rules

Watch part 1 of the Customer Success webinar series Parsing & Correlation Rules to learn the fundamentals of Parsing Rules. Scroll down to review additional resources and the queries shared during the webinar.
The Parsing Rules feature requires an XDR Pro license.

To watch the second part of the series, click here: The Core of Detections

Register for Part 3,  Improving Application Security with Correlations

Demo XQL query:

dataset = zeedemo_winlogs_raw
| filter  log_level = "error"
| fields event_data  , log_level  , *name* , channel , event_action  , event_id  , message 
| alter  Error_Description = json_extract_scalar(event_data   , "$.Error Description")
| alter  Reporting_source = json_extract_scalar(event_data   , "$.Update Source") 
| alter  Error_Code = json_extract_scalar(event_data   , "$.Error Code")
| filter Error_Code != null

Demo Parsing Rule:

//This is a demo for basic parsing rule build up 
[INGEST:vendor="zeedemo", product="winlogs", target_dataset="webinar_winlogerrors_parsed", no_hit = drop]
filter log_level = "error"
| fields event_data  , log_level  , *name* , channel , event_action  , event_id  , message 
| alter  Error_Description = json_extract_scalar(event_data   , "$.Error Description"),
         Reporting_source = json_extract_scalar(event_data   , "$.Update Source"),
         Error_Code = json_extract_scalar(event_data   , "$.Error Code")

| drop Error_Code = null;

Additional resources:

Architectural Overview

How-To Video: Custom Parsing Rule

Regex Generators - XDR supports regex version PCRE2

https://regex101.com/

Cortex XDR Pro Admin Guide: Parsing Rules

Winlogbeat modules

Have a question?  Post it on our Discussions forum

Cortex XDR