10-04-2023 08:14 AM - edited 10-04-2023 08:15 AM
Hi Kavurisowmya,
Yes, you may. Vendor Logs ingested from some unsupported external data sources sent to Cortex XDR may not match the format of the data already present in XDR from other sources. In this case, you can use additional XQL functions to transform the data within your custom parsing rules. Reference Ingest External Alerts • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentat...
You may use regex to convert the fields to extract the data to facilitate matching with Cortex XDR format. For example, say you need to map the port but your source field contains both the IP address and port (192.168.1.200:8080). To extract everything after the :, use the following regex:
^[^:]*_
Here is an example with Zscaler logs where this statement performs a regular expression match on any group of characters except whitespace characters, the resulting array will then have each field in an index, and we can simply choose the array index that corresponds to the field we want to assign.
String with a delimiter
dataset = zscaler_nsssaasfilelog_raw
| fields _raw_log
| alter date = arrayindex(regextract(_raw_log, "[^\s]+"),0)
In the example, the 0th array index (recall that arrays are 0-indexed data structures, so the first value is stored at index 0) corresponds to the first value in the log format.
In your example the delimiter is : so you will need to pull selected value for the regex to pull the data values you would like to extract.
Reference
If you found this answer helpful, please like and select Accept as Solution.
Thank you!
