Skip to main content

Rules

Rules let you configure how ShieldLabs responds to specific score ranges and signals for your domain.

What rules control

  • Score thresholds — define what score triggers each action level
  • Signal-specific actions — react to specific signals regardless of total score
  • Automatic actions — block, challenge, or allow based on rules

Configuring rules

Rules are configured per domain in the dashboard under Domain → Rules.

Pattern-based rules

Beyond single-session scoring, rules can act on detected behavior patterns:
PatternRecommended rule
high_velocity_deviceBlock on dangerous, challenge on suspicious
Multi-account same deviceBlock immediately
Repeated failed sessionsEscalate 2FA requirement

API

Retrieve pattern data for your domain: 
# All patterns
GET /api/domains/{domain_id}/patterns

# Specific pattern with entity list
GET /api/domains/{domain_id}/patterns/{pattern_name}
Pattern response: 
{
  "pattern_name": "high_velocity_device",
  "entity_type": "device_id",
  "entity_id": "a1b2c3d4...",
  "level": "dangerous",
  "current_value": 47,
  "first_detected": "2026-04-10T08:00:00Z",
  "last_seen": "2026-04-14T10:30:00Z",
  "weeks_active_4": 1,
  "became_suspicious": "2026-04-10T08:00:00Z",
  "became_dangerous": "2026-04-12T14:00:00Z"
}