Search syntax for recommendations

On the Recommendations page, you can filter and sort results by building advanced search queries using a custom syntax.

Structure

A full query consists of two optional clauses: <WHERE> and <ORDER BY>. You can use these separately. If both clauses are used, must come first.

WHERE clause

The WHERE clause identifies the data to filter. It filters results using the following structure:

  • Fields : Data to filter (available via the autocomplete dropdown in the UI).
    Open complete field list
    • Action ID
    • Action result
    • Action type
    • Application name
    • Assignee
    • Behavior input method
    • Behavior is inactivity
    • Behavior movement velocity
    • Behavior typing velocity
    • Campaign ID
    • Claimed user ID
    • Client name
    • Correlation ID
    • Device ID
    • Device MNC
    • Device fingerprint
    • Device is emulated
    • Device is spoofed
    • Device is tampered
    • Device model
    • Device name
    • Device power state
    • Device public key
    • Device screen available height
    • Device screen available width
    • Device screen height
    • Device screen width
    • Device summer timezone offset
    • Device timezone
    • Device winter timezone offset
    • Fraud ring ID
    • IP
    • IP company name
    • IP location
    • Label source
    • Label subject
    • Label type
    • Label use case
    • List ID
    • Network ASN ID
    • Network ASN name
    • Network IP city
    • Network IP country
    • Network IP domain
    • Network IP organization type
    • Network IP region
    • Network IP timezone
    • Network is Tor
    • Network is VPN
    • Network is anonymizer
    • Network is proxy
    • Payee account number
    • Payee bank
    • Payee branch
    • Payee name
    • Payer account number
    • Payer bank
    • Payer branch
    • Payer name
    • Preview recommendation
    • Preview rule name
    • Reason
    • Recommendation
    • Recommendation was consumed
    • Risk score
    • Threat
    • Total devices per user
    • Total users per device
    • Transaction amount
    • Transaction currency
    • Transaction reason
    • User ID
    • `User agent"
  • Supported Operators :
    • =
    • IN
    • BETWEEN (only for numeric values)
  • Values :
    • For IN : wrap values in parentheses
      Copy
      Copied
      Action type IN (login, authenticated)
    • For BETWEEN : use parentheses and connect values with TO
      Copy
      Copied
      Risk score BETWEEN (10 TO 95)
  • Logical Operators :
    Only AND is supported to combine multiple conditions.

Examples

  • Recommendation = DENY
  • Action type IN (login, authenticated)
  • Recommendation = TRUST AND Action type IN (login, authenticated)
  • Risk score BETWEEN (10 TO 95)
  • Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 TO 95)

ORDER BY clause

The ORDER BY clause is used to sort the results based on a specific field, in either ascending or descending order.ORDER BY clauses are structured as follows:

  • ORDER BY : keyword (constant)
  • Field : Identifies the data to filter (available via the autocomplete dropdown in the UI).
    Open complete field list
    • Action ID
    • Action result
    • Action type
    • Assignee
    • Behavior input method
    • Behavior is inactivity
    • Behavior movement velocity
    • Behavior typing velocity
    • Campaign ID
    • Correlation ID
    • Device ID
    • Device MNC
    • Device fingerprint
    • Device is emulated
    • Device is spoofed
    • Device is tampered
    • Device model
    • Device name
    • Device screen available height
    • Device screen available width
    • Device screen height
    • Device screen width
    • Device summer timezone offset
    • Device timezone
    • Device winter timezone offset
    • Fraud ring ID
    • IP
    • IP location
    • Label source
    • Label use case
    • Network ASN ID
    • Network ASN name
    • Network IP city
    • Network IP country
    • Network IP domain
    • Network IP organization type
    • Network IP region
    • Network IP timezone
    • Network is Tor
    • Network is VPN
    • Network is anonymizer
    • Network is proxy
    • Recommendation
    • Recommendation was consumed
    • Risk score
    • Total devices per user
    • Total users per device
    • User ID
    • User agent
  • Direction : ASC or DESC

Examples

  • ORDER BY Risk score DESC
  • ORDER BY Recommendation ASC

Full query example

Recommendation IN (CHALLENGE, DENY) AND Action type = authenticated AND Risk score BETWEEN (10 TO 95) ORDER BY Risk score DESC

Explanation:

Show me all the records where:

  • the recommendation is either CHALLENGE or DENYRecommendation IN (CHALLENGE, DENY)
  • and the action type is exactly authenticatedAction type = authenticated
  • and the risk score is between 10 and 95 (inclusive) → Risk score BETWEEN (10 TO 95)

...and sort the results by:

  • risk score , from highest to lowestORDER BY Risk score DESC