Skip to content

Search syntax for recommendations

On the Recommendations page, you can filter and sort results by building advanced search queries using a custom syntax.

Date range limits

When filtering recommendations by date, the maximum date range is 30 days. You can browse data up to 90 days back from the current date.

Structure

A full query consists of two optional clauses: <WHERE> and <ORDER BY>. You can use these separately. If both clauses are used, <WHERE> must come first.

WHERE clause

The WHERE clause identifies the data to filter. It filters results using the following structure:

  • Fields: Data to filter (available via the autocomplete dropdown in the UI).

    Open complete field list
    • Action ID
    • Action result
    • Action type
    • Application name
    • Assignee
    • Behavior input method
    • Behavior is inactivity
    • Behavior movement velocity
    • Behavior typing velocity
    • Campaign ID
    • Claimed user ID
    • Client name
    • Correlation ID
    • Device ID
    • Device MNC
    • Device fingerprint
    • Device is emulated
    • Device is spoofed
    • Device is tampered
    • Device model
    • Device name
    • Device power state
    • Device key ID
    • Device screen available height
    • Device screen available width
    • Device screen height
    • Device screen width
    • Device summer timezone offset
    • Device timezone
    • Device winter timezone offset
    • Fraud ring ID
    • IP
    • IP company name
    • IP location
    • Label source
    • Label subject
    • Label type
    • Label use case
    • List ID
    • Network ASN ID
    • Network ASN name
    • Network IP city
    • Network IP country
    • Network IP domain
    • Network IP organization type
    • Network IP region
    • Network IP timezone
    • Network is Tor
    • Network is VPN
    • Network is anonymizer
    • Network is proxy
    • Payee account number
    • Payee bank
    • Payee branch
    • Payee name
    • Payer account number
    • Payer bank
    • Payer branch
    • Payer name
    • Preview recommendation
    • Preview rule name
    • Reason
    • Recommendation
    • Recommendation was consumed
    • Risk score
    • Threat
    • Total devices per user
    • Total users per device
    • Transaction amount
    • Transaction currency
    • Transaction reason
    • User ID
    • `User agent"

  • Supported Operators:

    • =
    • IN
    • BETWEEN (only for numeric values)

  • Values:

    • For IN: wrap values in parentheses
      Action type IN (login, authenticated)
    • For BETWEEN: use parentheses and connect values with AND
      Risk score BETWEEN (10 AND 95)

  • Logical Operators: Only AND is supported to combine multiple conditions.

Examples

  • Recommendation = DENY
  • Action type IN (login, authenticated)
  • Recommendation = TRUST AND Action type IN (login, authenticated)
  • Risk score BETWEEN (10 AND 95)
  • Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 AND 95)

ORDER BY clause

The ORDER BY clause is used to sort the results based on a specific field, in either ascending or descending order.ORDER BY clauses are structured as follows:

  • ORDER BY: keyword (constant)

  • Field: Identifies the data to filter (available via the autocomplete dropdown in the UI).

    Open complete field list
    • Action ID
    • Action result
    • Action type
    • Assignee
    • Behavior input method
    • Behavior is inactivity
    • Behavior movement velocity
    • Behavior typing velocity
    • Campaign ID
    • Correlation ID
    • Device ID
    • Device MNC
    • Device fingerprint
    • Device is emulated
    • Device is spoofed
    • Device is tampered
    • Device model
    • Device name
    • Device screen available height
    • Device screen available width
    • Device screen height
    • Device screen width
    • Device summer timezone offset
    • Device timezone
    • Device winter timezone offset
    • Fraud ring ID
    • IP
    • IP location
    • Label source
    • Label use case
    • Network ASN ID
    • Network ASN name
    • Network IP city
    • Network IP country
    • Network IP domain
    • Network IP organization type
    • Network IP region
    • Network IP timezone
    • Network is Tor
    • Network is VPN
    • Network is anonymizer
    • Network is proxy
    • Recommendation
    • Recommendation was consumed
    • Risk score
    • Total devices per user
    • Total users per device
    • User ID
    • User agent

  • Direction: ASC or DESC

Examples

  • ORDER BY Risk score DESC
  • ORDER BY Recommendation ASC

Full query example

Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 AND 95) ORDER BY Risk score DESC

Explanation:

Show me all the records where:

  • the recommendation is either CHALLENGE or DENYRecommendation IN (CHALLENGE, DENY)
  • and the action type is exactly authenticatedAction type = authenticated
  • and the risk score is between 10 and 95 (inclusive) → Risk score BETWEEN (10 AND 95)

...and sort the results by:

  • risk score, from highest to lowestORDER BY Risk score DESC