Graph-Based Rules

Unit21 supports rules based on entity links generally seen in our Link Analysis tool.


Ask your CSM to enable Graph-Based Rules.

The Unit21 system can find risky commonalities between your users and generate alerts for your agents to review.

For example, it can be suspicious if three different users use the same credit card on your e-commerce site. It can also be suspicious if 5 different users have the same IP address when they log onto your app.

Create a Graph-Based Rule:

To create these rules, we built a system called "graph-based rules". Graph-based rules allow a user to create a logic model via our GUI.

To start the process:

  1. Go to the Detection Models page.
  2. Select +Create Scenario Model.
  3. Select Graph-based rule:

  1. You will now see our graph model builder:

The default example shows a rule that has been created to generate an alert if two users have the same address.

The first thing to note is all the items you can match on between entities. You can select one or more:

The second item to note is the number of matches. Up to 50 are supported:

Here is an example configuration to find 6 or more users with the same address, email and IP address:

As usual, Unit21 is highly configurable. Let's use filters and more to customize the example above.

First, we will use the traditional filter system by selecting the funnel icon:

This brings up a prompt where the matching entities can be further filtered.

For example, we might want to look at entities that registered on your platform in the last week only:

Now let's look at the Link Graph in detail where all the nodes appear:

You can Shift-Click on any node to:
-- add a new node if a + icon is present
-- delete that node if a - icon is present:

You can Click on any node to:
-- add a filter condition on that node if a funnel icon is present

That filter can be used to remove matching conditions. In the example above, we can remove US based addresses:


Custom data is supported for the entities in graph-based rules.

Validate a Graph-Based Rule:

When validating your graph-based rule, there is no need to select a time range because graph-based rules run against all the data (at all times) in the Unit21 system. The only selection needed on this page is the execution frequency.


Graph-based rules can be run as frequently as every hour.

When the results of the validation session appear, please note that only up to 50 alerts may be flagged. This imposed maximum ensures a fast validation session. This will not occur when the rule is live.

As you can see in this example, a single alert is created for every object that matches (in this case, 1 alert for 18 entities):

Additionally, a Rule Graph view is provided in the validation page:

Clicking on any user node in the Rule Graph view opens the detail view so that an agent can review the matching object and make sure the rule worked as anticipated:

Review a Graph-Based Rule Alert:

Once the rule is live and generates an alert, the summary section will show all flagged entities.

it is recommended that agents use the Network Analysis graph for review of expected matches:

Account & Routing Number Matching

Clients can now label 'account numbers' and 'routing numbers' as a semantic type.

After, clients can build a 'graph-based rule' that matches on account and routing number combinations.