Automatic Search Rules

Automatic Search Rules allow security teams to define and deploy custom correlation logic that continuously monitors the Inopli DRP dataset for matching patterns, indicators, or behaviors. These rules operate on top of the internal threat intelligence index and can proactively trigger incidents without requiring manual validation.

When a rule matches a new entry, whether it's a domain, string, IOC, or correlation pattern the system automatically escalates it to the Response module, where an incident is created with full context and enrichment.

This feature is designed to reduce reaction time, automate repetitive detection tasks, and encode organizational threat models into reusable and auditable rules.

Rule Types

Inopli supports three types of rule syntaxes, each suited to different detection needs:

  • Structured Query Rules Human-readable logic designed for analysts to define conditional search patterns based on values, fields, and Boolean logic.

  • YARA Rules Used for defining byte-level or string-level conditions. These rules support regular expressions (regex) for advanced matching of malware signatures, credential formats, file patterns, or encoded strings. Regex enables the detection of complex obfuscation techniques or variable content structure in payloads.

  • XML Match Rules Designed to match specific tags, attributes, or values in structured XML content. These rules also support regex within node values or attribute conditions, allowing flexible pattern recognition in feeds, form submissions, or structured artifacts.

  • Sigma Detection Rules YAML-based rules inspired by the Sigma standard, allowing analysts to write abstract, backend-agnostic detection logic. Inopli parses these rules and translates them into native queries over the DRP dataset. This format is especially useful for expressing multi-field correlation patterns and structured IOC detections.

Detection & Escalation Flow

  1. The analyst defines a rule and saves it in the rule engine.

  2. The engine continuously scans new DRP entries in real-time.

  3. When a match is found, it is enriched and validated.

  4. If thresholds or severity conditions are met, an incident is automatically created in the Response module.

Pages in this section:

PreviousAdvanced FeaturesNextStructured Query Rules

Last updated