Create a dataset#
To create a dataset:
In the left navigation bar, go to Search
>
GO TO SEARCH AND BROWSE > Datasets.Select Create dataset + in the top left.
In the Create dataset view, under Dataset name, enter a name for the new dataset.
Select the Dynamic checkbox to create a dynamic dataset. If you leave it deselected, the created dataset is static.
From the Workspaces drop-down menu, select one or more workspaces to include the dataset in. To remove a selection, go to the item(s) you want to remove, and click the cross icon .
Note
When you manually create a dataset, you must assign it to a workspace.
You cannot create datasets that do not belong to any workspaces.
To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:
Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
For example, a new dataset, feed, policy, rule, task, or workspace.
Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.
By default, new datasets are static.
To create a dynamic dataset, select the Dynamic checkbox, and specify a valid search query string in the Search query field.
See Search query syntax.
Examples
// Searches indicators for any of the following observables: IP addresses, or domain names, or URIs, or MD5 hashes
(extracts.kind:ipv4 or extracts.kind:domain or extracts.kind:uri or extracts.kind:hash-md5 ) AND types:("indicator")
// Searches for any observables containing the 'malware.win32.sample' value
extracts.value:malware.win32.sample
// Searches for any entities tagged exactly with 'Money Mule'
tags:"Money Mule"
// Searches for any entities whose original data source is 'Intel471'
meta.source_name:Intel471