# XML **XML Match Rules** are designed for detecting threats or patterns within structured data sources that use XML formatting. This rule type is ideal for processing feeds, form submissions, third-party alerts, and content with hierarchical tagging such as threat reports, leak disclosures, or machine-readable submissions. These rules allow analysts to define precise conditions over specific XML nodes, attributes, or values. They support **regular expressions (regex)** for flexible pattern matching within content and provide fine-grained control over structured data inspection. *** ### Rule Structure Each XML rule includes: * **Target Element(s)**\ The XML node or attribute to inspect (e.g., ``, ``, `@type`) * **Condition**\ Logic defining what should be matched. Conditions can include: * Exact value match * Partial string match * **Regex match** * **Severity**\ Optional impact classification (`low`, `medium`, `high`) ### Regex Support Regex can be used to: * Identify email domains, credential patterns, or encoded values * Detect naming conventions in tags or attributes * Match variations in formatting across data sources Regex is defined inside `` and supports common expressions such as: ```xml high ``` *** ### Use Cases * Flag indicators in external CTI feeds * Match credentials or tokens in structured breach dumps * Detect abuse types in standardized incident formats (e.g., STIX, TAXII) * Monitor custom fields in partner submissions or open disclosure reports *** ### Incident Triggering When an XML Match Rule finds a match in newly ingested structured content, the result is classified and enriched. If it meets the predefined criteria, it triggers an **incident in the Response module** automatically.