Apply discovery rules to retrieve specific entities

The Discovery service is a rule-based feature looking for information that satisfies specific search criteria.
You define the search criteria in a search query. The query sets the scope for the discovery rule.
Optionally, you can restrict the discovery rule scope by selecting one or more workspaces and workspace types.

Discovery rules in short:

  • When a rule is enabled, it automatically runs every 15 minutes.

  • Query task execution is capped: responses return max. 500 matches.

  • Discovery search queries use the Elasticsearch query syntax.

  • The Boolean operator connecting the search criteria you set in the rule is AND.

In the Intelligence Center discovery rules work like configurable, specialized data fetchers:

  • Configurable because you can define discovery rules as necessary.

  • Specialized because the rules use search queries to focus on a specific search scope.

When you execute a discovery rule for the first time, it runs incrementally as a provider: the first run returns matching data, up to a maximum of 500 entities, since the beginning of time; that is, there is no start time setting to limit the discovery scope to a specific starting point in the past.

Following runs execute the specified query starting from the previous successful run, and they discover only entities added since the previous successful execution of the same rule.
Repeated runs return all discovered entities since the previous successful execution of the same query.
To run a discovery task without this temporal constraint, create a new discovery rule.

Editing a rule does not affect this behavior.
If you want a query in a discovery rule to search all available data since the beginning of time, create a new rule, and then run it for the first time.

You can also edit a discovery rule, and then click Save and re-run for all time.
This option saves any changes, resets the execution time counter, and then it runs the rule task without applying any time constraint.
The run returns matching data for the rule, up to a maximum of 500 results, since the beginning of time; that is, there is no start time setting to limit the discovery scope to a specific starting point in the past.