Fraud detection rules use the same core infrastrucutre and logic as bot detection rules. Since many concepts overlap between the two, this article discusses aspects unique to fraud detection.
Fraud attacks directly attempt to obtain items of value, such as funds, goods or information, typically with legitimate accounts that have been compromised. You can configure notifications to alert you when traffic matches one of your configured rules in order to immediately coordinate responses.
Specifying fraud rules
Create and manage fraud rules in the Cequence Unified API Protection (UAP) platform's UI.
- Log in to the Cequence UAP platform.
- Navigate to Threat Protection > Fraud Indicators.
- Select the Rules tab, then click Create New Rule.
The New Rule wizard appears at the Rule Details step. - Type a name for the rule in the Rule Name field.
- Optionally, type a description for the rule in the Rule Description field, then click Next.
The wizard advances to the Rule Conditions step. - Specify a condition using the Confidence or Tags fields.
To specify a condition using the Confidence or Tags fields, select a field type, a condition, and a value. - Type the expression that specifies the rule's behavior in the Expression field, then click Next.
The wizard advances to the Rule Actions step. - Select a set of rule actions.
Available actions are to set a marker in the traffic, send an email alert, or send a REST API alert. You can enable any or all of these actions. - To set a marker, click Set Markers to expand the details pane, then type the following information.
- Type
- Name
- Value
- Expiration time
- To send an email alert, click Send Email to expand the details pane, then type the following information.
- The email address
- The email subject
- The email body
- Select a throttle threshold from the drop-down
- To send a REST API alert, click Send REST API to expand the details pane, then type the following information.
- HTTP URL of the API call
- Method of the call
- The content type
- The authentication type
- Optionally, headers
- Optionally, query parameters
- The JSON body of the REST API call
- Click Save.
The new rule appears in the list of rules.
Extended datasets
Fraud rules make use of extended datasets, user-provided datasets that provide information elevant to a specific application.
An extended dataset file is a flat record file in CSV format that contains one record per line. A record is a comma-separated list of a record key and an attribute key/value pair.
Managing extended datasets
You can upload an extended dataset to add the dataset to the Cequence UAP platform. You can also edit, download, and delete extended datasets.
Uploading an extended dataset
- Log in to the Cequence UAP platform.
- Navigate to Threat Protection > Fraud Indicators.
The Extended Data Sets tab shows a list of existing extended datasets. - Click Upload Data Set to add a new extended dataset.
The upload dialog box appears. - Drag the file to the dialog box or click Browse Files and navigate to the file location.
- Click Upload.
Editing an extended dataset
- Log in to the Cequence UAP platform.
- Navigate to Threat Protection > Fraud Indicators.
The Extended Data Sets tab shows a list of existing extended datasets. - In the Action column, click the pencil icon.
The dataset dialog box appears. - Edit the values of the extended dataset directly from the Row Editor field.
You can search for a specific row by typing at least 3 characters in the search field. - Click Save Changes.
Downloading an extended dataset
- Log in to the Cequence UAP platform.
- Navigate to Threat Protection > Fraud Indicators.
The Extended Data Sets tab shows a list of existing extended datasets. - In the Action column, click the arrow icon.
The download starts.
Deleting an extended dataset
- Log in to the Cequence UAP platform.
- Navigate to Threat Protection > Fraud Indicators.
The Extended Data Sets tab shows a list of existing extended datasets. - In the Action column, click the trash can icon.
A confirmation dialog box appears. - Click OK.
Extended dataset example
This example extracts the following attributes from a request:
- Username
- Amount
- Account number
The code then checks the extended dataset for the username and compares the amount in the request to the balance listed in the extended dataset.
var username = transactionData.username;
var amount = getDouble(transactionData.extracted, 'amount');
var accountNumber = transactionData.extracted['accountNumber'];
if (username == null) {
return null;
}
if (amount == null) {
return null;
}
var userStore = extendedDataset.getAttributes('<EDS file name>', username);
if (getDouble(userStore, 'balance') < amount) {
return userStore;
} else {
return null;
}
Markers
A Marker is a way to specify an action to take when the fraud detection rule with that marker triggers. You can scope a marker to a user, a session, or a transaction. Since rules trigger in order, a rule can apply markers that are used in the rule expressions of subsequent rules. Markers enable you to create sophisticated conditional behavior in response to traffic patterns.
Marker Example
This example uses three rules.
Rule 1 sets a marker with a particular value when the country code of a request matches a specific country, then sends an email notification. The marker expires in 10 hours.
Rule 2 checks for the presence and value of the marker set by Rule 1, then checks the username of the request against an extended dataset. When the username is found in the extended dataset, this rule sends an email notification and sets a new marker that expires in 5 hours.
Rule 3 checks for the presence and value of the marker set by Rule 2, then checks the username in the request against an extended dataset. When there is a match for the username in the extended dataset and the marker is present, this rule sends an email notification.
Taken together, these rules check traffic for requests with a specific username originating from a particular country code that repeat within a specified window.
Rule expression
The rules in this example have the following expressions.
Rule 1
{
"ruleName": "session Marker for country check",
"ruleDescription": "Test Markers",
"ruleExpression": "var co_header = transactionData.request.headers['co']?.value;\nif (co_header == null) {return null}\nif (co_header =='IN'){\n return true;\n}\nreturn null;",
"enabled": false,
"filter": null,
"orderId": 3,
"ruleActions": [
{
"type": "MARKER",
"config": {
"session_marker": {
"expireTime": 10,
"name": "session_marker",
"type": "session",
"expireUnit": "hours",
"value": 100
},
{
"type": "EMAIL",
"config": {
"subject": "test",
"recipient": [
"someone@somewhere.com"
],
"body": "test",
"policy": "Always Send Email"
}
}
}
}
]
}
Rule 2
{
"ruleName": "look up session and rewrite ",
"ruleDescription": "Test Markers",
"ruleExpression": "var username = transactionData.username\nvar session = transactionData.sessionid\nif (username == null || session == null) {\nreturn null;\n}\nvar inSet = extendedDataset.getAttributes('somestore',username)\nvar sess_marker = session.marker('session_marker')\nif (inSet != null) {\nif (sess_marker == 100){\n\n return true;\n\n} \n}\nreturn null;",
"enabled": true,
"filter": null,
"orderId": 2,
"ruleActions": [
{
"type": "MARKER",
"config": {
"new_Sess_marker": {
"expireTime": "5",
"name": "new_Sess_marker",
"type": "session",
"expireUnit": "hours",
"value": 6580
}
}
},
{
"type": "EMAIL",
"config": {
"subject": "test",
"recipient": [
"someone@somewhere.com"
],
"body": "test",
"policy": "Always Send Email"
}
}
]
}
Rule 3
{
"ruleName": " lookup session marker2 ",
"ruleDescription": "Test Markers",
"ruleExpression": "var username = transactionData.username\nvar session = transactionData.sessionid\nif (username == null || session == null) {\nreturn null;\n}\nvar inSet = extendedDataset.getAttributes('somestore',username)\nvar sess_marker = session.marker('new_Sess_marker')\nif (inSet != null) {\nif (sess_marker == 6580){\n\n return true;\n\n} \n}\nreturn null;",
"enabled": true,
"filter": null,
"orderId": 1,
"ruleActions": [
{
"type": "EMAIL",
"config": {
"subject": "test",
"recipient": [
"someone@somewhere.com"
],
"body": "out of order marker",
"policy": "Always Send Email"
}
}
]
}