Enforce risk rules

Rules allow you to implement unique business logic that overrides risk recommendations in certain cases. For example, you can always allow login actions from devices in your internal network. Rules help you determine how to mitigate risk for sensitive user actions (such as login, registration, checkout, etc.) using indicators related to the user, device, and network. Since you can test the impact of rules before taking them to production, rules can be written with confidence and safely deployed—without making any changes to your code.

How rules work

This describes the building blocks of rules and how they're processed.

Rule conditions

Rule conditions define the criteria that must be satisfied for the rule to match and are based on user, device, and network attributes. For example, this includes IP address, user ID, device ID, device location country, OS version, and browser name.

Rule decisions

Each rule is created with one of the following decisions:

  • Trust : Indicates low risk. You can continue and lower friction.
  • Allow : Indicates low risk. No risk mitigation is needed and you can proceed as usual.
  • Challenge : Risk mitigation is required by providing an appropriate challenge based on the use case.
  • Deny : Indicates a high risk. You shouldn't proceed further.

Rule mode and status

The combination of rule mode and status determines whether or not rules will impact detection and response decisions in production. The rule mode can be either Production or Preview. Preview mode allows you to dry-run the rule to understand its impact before releasing it in production. The rule status is either enabled (Active) or disabled (Inactive) which can be used to control which rules will be evaluated when a decision is needed.

Rule evaluation

When a decision is needed, rules are evaluated according to priority, which is reflected in the Rules page by their order in the table. Higher items have greater priority, so rules are evaluated from top to bottom. A rule is only evaluated if it is both enabled (status is Active) and in production mode. If all the conditions of a rule are satisfied, it's considered a match. Only the first rule to match will apply.

Manage rules

You can manage rules either using Rules APIs or in the Admin Portal from Detection and Response > Rules:

  • Create a rule by clicking + Add rule and configuring settings.
  • Change the rule status by clicking , and then Enable or Disable (depending on the rule's current status).
  • Change the rule priority by clicking , and then Priority up or Priority down . Rules are evaluated according to their order in the table, and only the first match will apply.
  • Promote a preview rule to production mode by clicking , and then Change mode .
  • Delete a rule by clicking and then Delete .
Note

If a rule is both enabled (i.e., Active) and in production mode, it can start impacting decisions in production. So make sure to properly test and evaluate the impact of rules before going live.

Rule settings

Rule settings are configured when they're created:

Settings include the following:

  • Rule name : Name of your rule, displayed in the Admin Portal.
  • Rule description : Short description of your rule, displayed in the Admin Portal.
  • Conditions : List of conditions that must all be satisfied for the rule to match.
  • Decisions : Decision of the rule if conditions are satified: Trust , Allow , Challenge , or Deny .
  • Mode : Controls whether the rule is in Production or Preview mode. Preview mode allows you to simulate a rule and evaluate its impact before releasing it to production.
  • Enabled : Toggles the rule status, where enabled rules have an Active status and disabled rules have an Inactive status. Only enabled rules will impact decisions (if they're also in Production).