09-22-2025 04:37 AM
I'm new to Cortex XSIAM..Wanted to understand how effectively parsing rule and Data model rule can be used for a particular data source and how it works?
02-11-2026 06:25 AM
Hello @A.Velusamy ,
Greetings for the day.
In Cortex XSIAM, Parsing Rules and Data Model Rules are two distinct mechanisms used to manage and normalize data from third-party sources. Although both rely on Cortex Query Language (XQL), they operate at different stages of the data lifecycle and serve different purposes.
Parsing rules are applied during the data ingestion phase, before logs are stored in a dataset. Their primary purpose is to clean, filter, and structure raw incoming data.
Parsing rules use a subset of XQL known as XQLi (XQL for Ingestion). They process raw log input, perform transformations, and insert the processed results into a specified dataset.
You can use the filter command within an [INGEST] rule to drop unnecessary logs (for example, informational traffic that provides no security value). This helps reduce storage and ingestion costs.
Parsing rules extract fields from raw messages (such as Syslog strings) so they are stored as structured columns within the dataset.
Normalizing the _time field during ingestion ensures logs are properly ordered and searchable.
Parsing rules only apply to new logs ingested after the rule is activated. They do not modify historical data.
They improve performance because data is pre-parsed and structured before being stored.
Data Model Rules operate at query time and provide a normalization layer. They map fields from vendor-specific datasets (for example, fortinet_fortigate_raw) to the standardized Cortex Data Model (XDM).
Data Model Rules act as a logical “view” on top of your datasets. When you run a query using the datamodel command, XSIAM applies these rules to translate vendor-specific field names into standardized XDM field names.
Enables cross-vendor searches using standardized XDM fields (for example, searching for an IP address using xdm.source.ipv4 across multiple firewall vendors).
Built-in analytics and correlation rules rely on XDM-normalized fields to detect cross-platform threats consistently.
Data Model Rules are retroactive, meaning they apply to both historical and newly ingested data.
If you create a user-defined Data Model Rule for a dataset that already has a default rule, the custom rule completely overrides the default rule for that dataset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-11-2026 06:25 AM
Hello @A.Velusamy ,
Greetings for the day.
In Cortex XSIAM, Parsing Rules and Data Model Rules are two distinct mechanisms used to manage and normalize data from third-party sources. Although both rely on Cortex Query Language (XQL), they operate at different stages of the data lifecycle and serve different purposes.
Parsing rules are applied during the data ingestion phase, before logs are stored in a dataset. Their primary purpose is to clean, filter, and structure raw incoming data.
Parsing rules use a subset of XQL known as XQLi (XQL for Ingestion). They process raw log input, perform transformations, and insert the processed results into a specified dataset.
You can use the filter command within an [INGEST] rule to drop unnecessary logs (for example, informational traffic that provides no security value). This helps reduce storage and ingestion costs.
Parsing rules extract fields from raw messages (such as Syslog strings) so they are stored as structured columns within the dataset.
Normalizing the _time field during ingestion ensures logs are properly ordered and searchable.
Parsing rules only apply to new logs ingested after the rule is activated. They do not modify historical data.
They improve performance because data is pre-parsed and structured before being stored.
Data Model Rules operate at query time and provide a normalization layer. They map fields from vendor-specific datasets (for example, fortinet_fortigate_raw) to the standardized Cortex Data Model (XDM).
Data Model Rules act as a logical “view” on top of your datasets. When you run a query using the datamodel command, XSIAM applies these rules to translate vendor-specific field names into standardized XDM field names.
Enables cross-vendor searches using standardized XDM fields (for example, searching for an IP address using xdm.source.ipv4 across multiple firewall vendors).
Built-in analytics and correlation rules rely on XDM-normalized fields to detect cross-platform threats consistently.
Data Model Rules are retroactive, meaning they apply to both historical and newly ingested data.
If you create a user-defined Data Model Rule for a dataset that already has a default rule, the custom rule completely overrides the default rule for that dataset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
