> For the complete documentation index, see [llms.txt](https://docs.inopli.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inopli.com/drp/advanced-features/automatic-search-rules.md).

# Automatic Search Rules

<mark style="color:green;">**Automatic Search Rules**</mark> allow security teams to define and deploy custom correlation logic that continuously monitors the <mark style="color:green;">Inopli DRP</mark> dataset for matching patterns, indicators, or behaviors. These rules operate on top of the internal threat intelligence index and can proactively trigger incidents without requiring manual validation.

When a rule matches a new entry, whether it's a domain, string, IOC, or correlation pattern the system automatically escalates it to the <mark style="color:green;">**Response**</mark> module, where an incident is created with full context and enrichment.

This feature is designed to reduce reaction time, automate repetitive detection tasks, and encode organizational threat models into reusable and auditable rules.

***

### Rule Types

Inopli supports three types of rule syntaxes, each suited to different detection needs:

* <mark style="color:green;">**Structured Query Rules**</mark>\
  Human-readable logic designed for analysts to define conditional search patterns based on values, fields, and Boolean logic.
* <mark style="color:green;">**YARA Rules**</mark>\
  Used for defining byte-level or string-level conditions. These rules support <mark style="color:green;">**regular expressions (regex)**</mark> for advanced matching of malware signatures, credential formats, file patterns, or encoded strings. Regex enables the detection of complex obfuscation techniques or variable content structure in payloads.
* <mark style="color:green;">**XML Match Rules**</mark>\
  Designed to match specific tags, attributes, or values in structured XML content. These rules also support <mark style="color:green;">**regex**</mark> within node values or attribute conditions, allowing flexible pattern recognition in feeds, form submissions, or structured artifacts.
* <mark style="color:green;">**Sigma Detection Rules**</mark>\
  YAML-based rules inspired by the Sigma standard, allowing analysts to write abstract, backend-agnostic detection logic. <mark style="color:green;">Inopli</mark> parses these rules and translates them into native queries over the DRP dataset. This format is especially useful for expressing multi-field correlation patterns and structured IOC detections.

***

### Detection & Escalation Flow

1. The analyst defines a rule and saves it in the rule engine.
2. The engine continuously scans new DRP entries in real-time.
3. When a match is found, it is enriched and validated.
4. If thresholds or severity conditions are met, an incident is automatically created in the **Response** module.

***

**Pages in this section:**

* [Structured Query Rules](/drp/advanced-features/automatic-search-rules/structured-query-rules.md)
* [YARA Rules](/drp/advanced-features/automatic-search-rules/yara.md)
* [XML Match Rules](/drp/advanced-features/automatic-search-rules/xml.md)
* [SIGMA Rules](/drp/advanced-features/automatic-search-rules/sigma.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.inopli.com/drp/advanced-features/automatic-search-rules.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.