> For the complete documentation index, see [llms.txt](https://docs.inopli.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/structured-query-rules.md).

# Structured Query Rules

<mark style="color:green;">**Structured Query Rules**</mark> allow analysts to define custom detection logic using a readable query syntax that filters and correlates threat signals based on field values, Boolean conditions, and pattern matches. This format is ideal for teams that want to express precise conditions over the normalized threat intelligence dataset without relying on low-level syntax.

These rules operate continuously over incoming findings within the DRP module and are capable of triggering automated incidents in the Response module when a match is detected.

***

### Rule Syntax Overview

Structured Query Rules support logical operators, field-based filters, and nested conditions. Supported constructs include:

* <mark style="color:green;">Field equality</mark>:\
  `type = "domain"`
* <mark style="color:green;">String containment</mark>:\
  `value contains "gov.br"`
* <mark style="color:green;">Lists and sets</mark>:\
  `category in ["phishing", "malware"]`
* <mark style="color:green;">Boolean logic</mark>:\
  `type = "email" AND confidence >= 80 AND threat_data = "public"`
* <mark style="color:green;">Negation</mark>:\
  `NOT type = "hash"`

***

### Use Cases

Some examples of how Structured Query Rules can be used:

* Detect newly registered `.zip` domains with medium or high risk:\
  `value endswith ".zip" AND risk_level in ["medium", "high"]`
* Match credentials leaked from specific business units:\
  `value contains "@diazero.com" AND department = "Finance"`
* Flag phishing emails targeting executives:\
  `type = "email" AND target_group = "executive" AND category = "phishing"`

***

### Rule Behavior

Once a rule is saved and enabled, it will run in real-time against all new entries ingested by the <mark style="color:green;">DRP engine</mark>. If a match is found, the result is enriched, validated, and, if eligible, escalated as an incident in the **Response** module.

***

To create a new rule, users can access the <mark style="color:green;">**Structured Rule Editor**</mark> via the platform’s interface. This editor supports live syntax validation and preview of matching entries.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inopli.com/drp/advanced-features/automatic-search-rules/structured-query-rules.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.