How parsing actually works in XSIAM: INGEST, XDM, raw datasets, and the data flow.
Every log byte that lands in your XSIAM tenant takes a specific path: collected by Broker VM or marketplace integration, transformed by parsing rules, normalized into XDM, and stored in the Cortex Extended Data Lake. Knowing the path makes it obvious which work is configuration and which is engineering.
Read the full lesson with Pro.
The takeaways below are public so you know what is in the lesson. The full body, the negotiation script, and every other lesson unlock with Pro. Free 30 days, no card.
Takeaways
- →Five stages: collection (XDR agent / marketplace / Broker VM) -> raw dataset (`<vendor>_<product>_raw`) -> parsing rules (XQLp) -> Data Model Rules (XDM normalization) -> XDL data lake.
- →Parsing rules use XQLp (subset of XQL). Allowed stages: alter, fields, filter, join, call. Allowed functions: parse_timestamp, parse_epoch, regexcapture. Plus a drop stage.
- →INGEST section is mandatory. Required parameters: vendor, product, target_dataset. Optional: no_hit (keep|drop), ingestnull.
- →NGFW raw datasets in the panw_ngfw_<text>_raw format and panw_observability_raw cannot have custom parsing rules; they're reserved.
- →Marketplace sources ship parsing rules AND Data Model Rules; custom work is only needed for non-marketplace sources or unusual log shapes.
- →The platform's parsing-rule editor includes a simulate feature; use it before saving any custom rule.
- →Bring a partner in for non-marketplace sources, complex INGEST transformations, or cross-source lookup enrichment.
Copy-ready script
Pro“Can you split the rule scope into two phases? Phase one is enablement of the OOTB ruleset against my environment, ideally on a flat-rate or fixed-fee basis. Phase two is authoring custom rules where the OOTB set has gaps, billed hourly.”
See it in your own quote.
Paste a Palo Alto Networks quote. The engine will tell you, line by line, where the pattern in this lesson actually shows up.
Have Clarify read your SOW