# Automatic Search Rules

<mark style="color:green;">**Automatic Search Rules**</mark> allow security teams to define and deploy custom correlation logic that continuously monitors the <mark style="color:green;">Inopli DRP</mark> dataset for matching patterns, indicators, or behaviors. These rules operate on top of the internal threat intelligence index and can proactively trigger incidents without requiring manual validation.

When a rule matches a new entry, whether it's a domain, string, IOC, or correlation pattern the system automatically escalates it to the <mark style="color:green;">**Response**</mark> module, where an incident is created with full context and enrichment.

This feature is designed to reduce reaction time, automate repetitive detection tasks, and encode organizational threat models into reusable and auditable rules.

***

### Rule Types

Inopli supports three types of rule syntaxes, each suited to different detection needs:

* <mark style="color:green;">**Structured Query Rules**</mark>\
  Human-readable logic designed for analysts to define conditional search patterns based on values, fields, and Boolean logic.
* <mark style="color:green;">**YARA Rules**</mark>\
  Used for defining byte-level or string-level conditions. These rules support <mark style="color:green;">**regular expressions (regex)**</mark> for advanced matching of malware signatures, credential formats, file patterns, or encoded strings. Regex enables the detection of complex obfuscation techniques or variable content structure in payloads.
* <mark style="color:green;">**XML Match Rules**</mark>\
  Designed to match specific tags, attributes, or values in structured XML content. These rules also support <mark style="color:green;">**regex**</mark> within node values or attribute conditions, allowing flexible pattern recognition in feeds, form submissions, or structured artifacts.
* <mark style="color:green;">**Sigma Detection Rules**</mark>\
  YAML-based rules inspired by the Sigma standard, allowing analysts to write abstract, backend-agnostic detection logic. <mark style="color:green;">Inopli</mark> parses these rules and translates them into native queries over the DRP dataset. This format is especially useful for expressing multi-field correlation patterns and structured IOC detections.

***

### Detection & Escalation Flow

1. The analyst defines a rule and saves it in the rule engine.
2. The engine continuously scans new DRP entries in real-time.
3. When a match is found, it is enriched and validated.
4. If thresholds or severity conditions are met, an incident is automatically created in the **Response** module.

***

**Pages in this section:**

* [Structured Query Rules](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/structured-query-rules)
* [YARA Rules](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/yara)
* [XML Match Rules](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/xml)
* [SIGMA Rules](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/sigma)