Structured Query Rules

Structured Query Rules allow analysts to define custom detection logic using a readable query syntax that filters and correlates threat signals based on field values, Boolean conditions, and pattern matches. This format is ideal for teams that want to express precise conditions over the normalized threat intelligence dataset without relying on low-level syntax.

These rules operate continuously over incoming findings within the DRP module and are capable of triggering automated incidents in the Response module when a match is detected.

Rule Syntax Overview

Structured Query Rules support logical operators, field-based filters, and nested conditions. Supported constructs include:

• Field equality: type = "domain"

• String containment: value contains "gov.br"

• Lists and sets: category in ["phishing", "malware"]

• Boolean logic: type = "email" AND confidence >= 80 AND threat_data = "public"

• Negation: NOT type = "hash"

Use Cases

Some examples of how Structured Query Rules can be used:

• Detect newly registered .zip domains with medium or high risk: value endswith ".zip" AND risk_level in ["medium", "high"]

• Match credentials leaked from specific business units: value contains "@diazero.com" AND department = "Finance"

• Flag phishing emails targeting executives: type = "email" AND target_group = "executive" AND category = "phishing"

Rule Behavior

Once a rule is saved and enabled, it will run in real-time against all new entries ingested by the DRP engine. If a match is found, the result is enriched, validated, and, if eligible, escalated as an incident in the Response module.

To create a new rule, users can access the Structured Rule Editor via the platform’s interface. This editor supports live syntax validation and preview of matching entries.