Rules Engine

The TIDALBAY Rules Engine evaluates incoming security events against a configurable set of rules to determine score impact and trigger automated actions. It is the core decision-making component of the platform.

Architecture

The rules engine processes events through a pipeline:

  1. Event intake: Normalized events enter the evaluation queue
  2. Rule matching: Events are matched against active rules based on type and conditions
  3. Impact calculation: Matched rules produce a score impact value
  4. Aggregation: Multiple rule matches are aggregated with impact limits
  5. Score update: The employee's score is updated atomically
  6. Action dispatch: Score-based and event-based actions are triggered

Rule Types

Simple Rules

Map a single event type to a fixed point impact:

{
  "name": "Phishing Click",
  "event_type": "sim.link_clicked",
  "impact": -25,
  "cooldown": "24h"
}

Conditional Rules

Apply conditions to narrow when the rule fires:

{
  "name": "Off-Hours Suspicious Login",
  "event_type": "auth.suspicious_login",
  "conditions": {
    "time_of_day": "outside_hours",
    "location": "outside_country"
  },
  "impact": -25
}

Threshold Rules

Trigger only after an event occurs N times within a window:

{
  "name": "Repeated Login Failures",
  "event_type": "auth.login_failure",
  "conditions": {
    "count_threshold": 5,
    "time_window": "1h"
  },
  "impact": -10
}

Composite Rules

Combine multiple event types into a single rule (Enterprise):

{
  "name": "Compromised Account Pattern",
  "conditions": {
    "all_of": [
      { "event_type": "auth.suspicious_login" },
      { "event_type": "auth.mfa_disabled", "within": "1h" }
    ]
  },
  "impact": -50,
  "actions": ["alert_soc", "lock_account"]
}
Composite Rules
Composite rules are available on Enterprise plans. They enable detection of multi-step attack patterns that individual rules would miss.

Evaluation Order

Rules are evaluated in priority order (lower number = higher priority):

  • Priority 1–99: Custom high-priority rules
  • Priority 100–199: Custom standard rules
  • Priority 200+: Default rules

By default, all matching rules apply cumulatively. Set a rule as "exclusive" to stop evaluation after it matches.

Impact Limits

To prevent excessive score changes from correlated events:

  • Per-event limit: Maximum cumulative impact from a single event (default: -50)
  • Hourly limit: Maximum cumulative negative impact per hour (default: -75)
  • Daily limit: Maximum cumulative negative impact per day (default: -100)
Limit Overrides
Critical security events (account compromise, data breach indicators) can be configured to bypass impact limits. Use this cautiously.

Testing Rules

Before activating a rule, use the testing tools:

  • Dry run: Evaluate the rule against historical events without affecting scores
  • Preview: See which employees would be affected and by how much
  • Sandbox: Test in a sandboxed environment (Enterprise)

Next Steps