> For the complete documentation index, see [llms.txt](https://docs.inopli.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/xml.md).

# XML

<mark style="color:green;">**XML Match Rules**</mark> are designed for detecting threats or patterns within structured data sources that use XML formatting. This rule type is ideal for processing feeds, form submissions, third-party alerts, and content with hierarchical tagging such as threat reports, leak disclosures, or machine-readable submissions.

These rules allow analysts to define precise conditions over specific XML nodes, attributes, or values. They support <mark style="color:green;">**regular expressions (regex)**</mark> for flexible pattern matching within content and provide fine-grained control over structured data inspection.

***

### Rule Structure

Each XML rule includes:

* <mark style="color:green;">**Target Element(s)**</mark>\
  The XML node or attribute to inspect (e.g., `<email>`, `<domain>`, `@type`)
* <mark style="color:green;">**Condition**</mark>\
  Logic defining what should be matched. Conditions can include:
  * Exact value match
  * Partial string match
  * **Regex match**
* <mark style="color:green;">**Severity**</mark>\
  Optional impact classification (`low`, `medium`, `high`)

### Regex Support

Regex can be used to:

* Identify email domains, credential patterns, or encoded values
* Detect naming conventions in tags or attributes
* Match variations in formatting across data sources

Regex is defined inside `<condition>` and supports common expressions such as:

```xml
<rule>
  <condition regex=".*unauthorized\s+access.*" />
  <severity>high</severity>
</rule>
```

***

### Use Cases

* Flag indicators in external CTI feeds
* Match credentials or tokens in structured breach dumps
* Detect abuse types in standardized incident formats (e.g., STIX, TAXII)
* Monitor custom fields in partner submissions or open disclosure reports

***

### Incident Triggering

When an XML Match Rule finds a match in newly ingested structured content, the result is classified and enriched. If it meets the predefined criteria, it triggers an <mark style="color:green;">**incident in the Response module**</mark> automatically.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.inopli.com/drp/advanced-features/automatic-search-rules/xml.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.