XML

XML Match Rules are designed for detecting threats or patterns within structured data sources that use XML formatting. This rule type is ideal for processing feeds, form submissions, third-party alerts, and content with hierarchical tagging such as threat reports, leak disclosures, or machine-readable submissions.

These rules allow analysts to define precise conditions over specific XML nodes, attributes, or values. They support regular expressions (regex) for flexible pattern matching within content and provide fine-grained control over structured data inspection.

Rule Structure

Each XML rule includes:

• Target Element(s) The XML node or attribute to inspect (e.g., <email>, <domain>, @type)

• Condition Logic defining what should be matched. Conditions can include:

  • Exact value match

  • Partial string match

  • Regex match

• Severity Optional impact classification (low, medium, high)

Regex Support

Regex can be used to:

• Identify email domains, credential patterns, or encoded values

• Detect naming conventions in tags or attributes

• Match variations in formatting across data sources

Regex is defined inside <condition> and supports common expressions such as:

<rule>
  <condition regex=".*unauthorized\s+access.*" />
  <severity>high</severity>
</rule>

Use Cases

• Flag indicators in external CTI feeds

• Match credentials or tokens in structured breach dumps

• Detect abuse types in standardized incident formats (e.g., STIX, TAXII)

• Monitor custom fields in partner submissions or open disclosure reports

Incident Triggering

When an XML Match Rule finds a match in newly ingested structured content, the result is classified and enriched. If it meets the predefined criteria, it triggers an incident in the Response module automatically.