Graph based Rules

Unit21 supports rules based on entity links generally seen in our Link Analysis tool.

📘

Ask your CSM to enable Graph based Rules.

The Unit21 system can find risky commonalities between your users and generate alerts for your agents to review.

For example, it can be suspicious if three different users use the same credit card on your e-commerce site. It can also be suspicious if 5 different users have the same IP address when they log onto your app.

👍

Any rules created using Graph run once a day.

The rule runs daily on your entire data set. These rules are NOT time based.
A mild exception occurs when the filter registered at is used.

Create a Graph Based Rule:

To create these rules, we built a system called "graph based rules". Graph based rules allow a user to create a logic model via our GUI.

To start the process:

  1. Go to the Detection Models page.
  2. Select +Create Scenario Model.
  3. Select Entity Matching Links:
21222122
  1. You will now see our graph model builder:
21222122

The default example shows a rule that has been created to generate an alert if two users have the same address.

664664

The first thing to note is all the items you can match on between entities. You can select one or more:

656656

The second item to note is the number of matches. Up to 50 are supported:

649649

Here is an example configuration to find 6 or more users with the same address, email and IP address:

859859

As usual, Unit21 is highly configurable. Let's use filters and more to customize the example above.

First, we will use the traditional filter system by selecting the funnel icon:

850850

This brings up a prompt where the matching entities can be further filtered.

11511151

For example, we might want to look at entities that registered on your platform in the last week only:

11501150

Now let's look at the Link Graph in detail where all the nodes appear:

13321332

You can Shift-Click on any node to:
-- add a new node if a + icon is present
-- delete that node if a - icon is present:

12801280 12801280

You can Click on any node to:
-- add a filter condition on that node if a funnel icon is present

12801280

That filter can be used to remove matching conditions. In the example above, we can remove US based addresses:

11501150

📘

Custom data is supported for the entities in graph based rules.

Validate a Graph Based Rule:

When validating your graph based rule, the time range is irrelevant and can be ignored. This is because graph based rules run against all the data (at all times) in the Unit21 system:

31233123

When the results of the validation session appear, please note that only up to 50 alerts may be flagged. This imposed maximum ensures a fast validation session. This will not occur when the rule is live.

As you can see in this example, a single alert is created for every object that matches (in this case, 1 alert for 18 entities):

31343134

Additionally, a Rule Graph view is provided in the validation page:

31323132

Clicking on any user node in the Rule Graph view opens the detail view so that an agent can review the matching object and make sure the rule worked as anticipated:

31963196

Review a Graph Based Rule Alert:

Once the rule is live and generates an alert, the summary section will show all flagged entities.

it is recommended that agents use the Network Analysis graph for review of expected matches:

25032503