Create a dataset

To create a dataset:

  1. In the left navigation bar, go to Search images/download/attachments/82474869/search.svg-x24.png > GO TO SEARCH AND BROWSE > Datasets.

  2. Select Create dataset + in the top left.

  3. In the Create dataset view, under Dataset name, enter a name for the new dataset.

  4. Select the Dynamic checkbox to create a dynamic dataset.
    If you leave it deselected, the created dataset is static.

  5. From the Workspaces drop-down menu, select one or more workspaces to include the dataset in.
    To remove a selection, go to the item(s) you want to remove, and click the cross icon .

    When you manually create a dataset, you must assign it to a workspace.
    You cannot create datasets that do not belong to any workspaces.

  6. To store your changes, click Save; to discard them, click Cancel.
    To access additional save options, click the down arrow on the Save button:

    • Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
      For example, a new dataset, feed, policy, rule, task, or workspace.

    • Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.

By default, new datasets are static.

  • To create a dynamic dataset, select the Dynamic checkbox, and specify a valid search query string in the Search query field.

  • You can define the search query using the Elasticsearch query syntax.

  • To point to a specific field in the entity JSON structure, set a JSON path.
    This defines the target location where the search query should look for values matching the specified literal value or data pattern.

  • The JSON path format is a string where dots (.) define JSON parent-child relationships.

  • Do not include square brackets ([ ]) in the path input: they are stripped during execution.
    It is not possible to use square brackets to point to specific array members.

  • In the specified location, you can look for literal values or for regex patterns.${observable_type} OR ${literal_value} OR ${data_pattern}


// Searches indicators for any of the following observables: IP addresses, or domain names, or URIs, or MD5 hashes
(extracts.kind:ipv4 or extracts.kind:domain or extracts.kind:uri or extracts.kind:hash-md5 ) AND types:("indicator")
// Searches for any observables containing the 'malware.win32.sample' value
// Searches for any entities tagged exactly with 'Money Mule'
tags:"Money Mule"
// Searches for any entities whose original data source is 'Intel471'