Create a dataset#

To create a dataset:

  1. In the left navigation bar, go to Search icon Search > Go to Search and Browse > Datasets.

  2. Select Create dataset + in the top left.

  3. Under Dataset name, enter a name for the new dataset.

  4. Under Query, select a dataset type from the dropdown.
    Learn more about static vs. dynamic datasets.

  5. If you selected Search query Dynamic - Search query or Relational query Dynamic - Relational query, create a simple search query or a relational search query, respectively.

  6. From the Workspaces drop-down menu, select one or more workspaces to include the dataset in.

    Note

    When you manually create a dataset, you must assign it to a workspace.

    You cannot create datasets that do not belong to any workspaces.

  7. To store your changes, select Save; to discard them, select Cancel.

    To access additional save options, select the down arrow on the Save button:

    • Select Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.

      For example, a new dataset, feed, policy, rule, task, or workspace.

    • Select Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.

Examples of dataset queries#

// Searches indicators for any of the following observables: IP addresses, or domain names, or URIs, or MD5 hashes 
(extracts.kind:ipv4 or extracts.kind:domain or extracts.kind:uri or extracts.kind:hash-md5 ) AND data.type:indicator 

// Searches for any observables containing the 'malware.win32.sample' value 
extracts.value:malware.win32.sample

// Searches for any entities tagged exactly with 'Money Mule' 
tags.keyword:"Money Mule"

// Searches for any entities whose original data source is 'Intel471' 
sources.name:Intel471