Configuring Scoring Rules
Scoring rules define how security events affect employee risk scores. Customize rules to match your organization's security policies and risk tolerance.
Overview
Each scoring rule maps a security event to a point value. When an event matches a rule, the corresponding points are added to (or subtracted from) the employee's security score.
Default Rules
TIDALBAY ships with a set of default rules based on industry best practices. You can customize these or create new rules to fit your organization.
Rule Structure
Every scoring rule consists of:
- Name: A descriptive name for the rule
- Event Source: The integration that generates the event (e.g., Okta, Microsoft 365)
- Event Type: The specific event to match (e.g., login_failure, phishing_click)
- Conditions: Optional filters to narrow when the rule applies
- Impact: Point value (negative for risky events, positive for good behavior)
- Cooldown: Minimum time between repeated triggers for the same employee
Managing Rules
Viewing Rules
Navigate to Admin → Scoring Rules to see all active rules. Rules are organized by category:
- Identity & Access: Login failures, MFA changes, suspicious access
- Email Security: Phishing clicks, reported emails, spam interactions
- Endpoint: Malware detections, policy violations, unpatched software
- Training: Course completions, assessment scores
- Positive Behaviors: Phishing reports, clean streaks, training completion
Creating a Rule
- Click Create Rule in the Scoring Rules page
- Select the event source and event type
- Configure conditions (optional)
- Set the point impact value
- Set the cooldown period (optional, default: none)
- Click Save Rule
Editing a Rule
Click any rule to open its configuration. Changes take effect immediately for new events. Existing scores are not retroactively recalculated unless you explicitly trigger a recalculation.
Recalculation
Triggering a full score recalculation can be resource-intensive for large organizations. We recommend scheduling recalculations during off-peak hours.
Default Rules Reference
| Rule | Source | Impact | Cooldown |
|---|---|---|---|
| Phishing Link Clicked | Phishing Sim | -25 | 24 hours |
| Phishing Credentials Submitted | Phishing Sim | -35 | 24 hours |
| MFA Disabled | IdP | -30 | None |
| Repeated Login Failures (5+) | IdP | -10 | 1 hour |
| Malware Detected | EDR | -40 | None |
| Suspicious Email Reported | +10 | None | |
| Training Module Completed | Training | +15 | Per module |
| 30-Day Clean Streak | System | +5 | 30 days |
Advanced: Conditions
Conditions let you create rules that only trigger under specific circumstances:
{
"event_type": "login_failure",
"conditions": {
"count_threshold": 5,
"time_window": "1h",
"location": "outside_country"
},
"impact": -15
}Supported condition types:
- count_threshold: Trigger only after N occurrences in the time window
- time_window: Period for counting events (e.g., 1h, 24h, 7d)
- location: Geographic conditions (outside_country, new_location)
- device: Device conditions (unmanaged, new_device)
- time_of_day: Time-based conditions (outside_hours, weekend)