Rule Sets

IMPORTANT:

Rule sets are created and managed in the ITDR portal.

Rule sets let you automate the checks and actions that matter most to your business in key moments.

By running rules in real time and triggering follow-up actions (like sending alerts or adding users to a list for later review), Rule sets help you systematically block suspicious activity and reduce risk without slowing down trusted users.

Rules contain signals defined to check for threats, fraud, and other types of suspicious activity before you let users into your system.

For more information, see Signal Definitions.

Create a Rule Set

To create a rule set:

  1. Select Rule sets from the navigation pane and click the + at the top of the page to either +Create or +Import a rule set.

  2. Enter a unique Name, an optional description, and select or input a Default Outcome. The Default Outcome defines what happens when no rules in the rule set are triggered, ensuring there’s always a clear outcome applied.

  3. Click Add Rule.

    1. Define your conditions using Filters. Filters (signals) are grouped by Email, IP, Phone, and User Agent categories. If you have created lists to group accounts, they are also available to add to a rule.

      1. Impact (Last 7 Days) displays affected events and accounts, updating instantly as you tweak your filters. This feature is not available for custom filters (CEL mode).

    2. Select the API response outcome. This is the string that the ITDR API will respond with if the condition is met.

    3. Select actions (optional). Specify actions that should trigger when the condition is met. Supported actions include:

      1. Send Email: Trigger an email notification to specified recipients or distribution list.

      2. Send Slack Message: Trigger a message to specified Slack channels.

      3. Send Teams Message: Trigger a message to specified Microsoft Teams channels.

      4. Send to Datadog: Send event details as a JSON payload to Datadog.

      5. Send to Splunk: Send event details as a JSON payload to Splunk.

      6. Send to Webhook: Send event details as a JSON payload to a custom webhook.

      7. Add to List: Automatically add an entity (account, session, device, etc.) to a selected List for future monitoring or investigation.

  4. Hit Save. The rule set is ready for action!

NOTE:

Required Integrations for Actions: Slack, Teams, Datadog, Splunk, and Webhook actions only appear if those integrations are already configured in your Account Settings.

Notification Payloads: For Datadog, Splunk, and Webhook, the event payload is identical to what you receive through your configured SIEM logs.

Message Customization: To personalize your Email, Slack, or Teams messages.

To ensure your rules functioned as intended, use the Evaluate tab to test them. Enter an account ID, email, IP address, phone number, and/or user agent and click Evaluate. Check the response to see whether the rule worked as intended.

NOTE:

All properties from the Auth0 event object (Actions Triggers: post-login - Event Object ) are available to reference from Rule Sets under parameters.<Auth0 property name>. You can set an action to ALLOW and have Auth0 prompt Login Success. You can also set an action to ALLOW_WITH_MFA to prompt Auth0 to require MFA. Set an action to DENY to reject a login attempt.