Create discovery rules

To create a new discovery rule, do the following:

1. In the left navigation bar, select Discovery .
   

2. Click .

3. In the Name field, enter a short and descriptive name to describe the rule.
   Example: China or Russia, 1 year till now

4. In the Description field enter a short description to clarify the purpose of the rule, and the type of data it applies to.
   This is helpful when the amount of rules users create in the Intelligence Center grows over time. A short description provides context, and it is a reminder of the reasons why the rule is in place.
   Example: Discovers any indicator data types having either “China” or “Russia” as a tag, and whose creation date falls in the range “one year ago until now”.

5. In the Search query field, enter the search query you want to run when executing the rule.
   It should do what you explain in the rule description field.
   Search queries for discovery rules and rules in general use the Elasticsearch query syntax.
   Example: data.type:indicator OR entity.tags:China OR entity.tags:Russia AND created_at:[now-1y TO now]

6. From the Correlated workspaces drop-down, you can select one or more workspaces to focus the search only on those entities that are associated with the selected workspaces.
   To remove a selection, go to the item(s) you want to remove, and click the cross icon .
   Example: IOCs originating in China and Russia

7. From the Correlated workspace types drop-down, you can specify one or more workspace types to focus the search only on those entities that are related to all workspaces of a specific type.
   To remove a selection, go to the item(s) you want to remove, and click the cross icon .
   Example: Topic

8. Select or deselect the Enabled checkbox to enable or disable the rule.

9. Click Save to store your changes, or Cancel to discard them.