YAML Pattern Reference

Common rule combinations with the exact keys required by each operator family.

This page collects small rule patterns that can be inserted under ruleset.rules. Each example includes the surrounding rule fields so its decision and scoring behavior are visible.

Threshold with an exception

Block a high-value transaction unless it comes from a trusted channel:

- id: high_value_untrusted_channel
  action: block
  severity: HIGH
  weight: 60
  priority: 100
  conditions:
    and:
      - {field: payment.amount, op: gte, value: 5000}
      - {field: payment.channel, op: not_in, values: [branch, trusted_api]}

Cross-field mismatch

Review when billing and shipping countries differ and the order exceeds the customer's normal value:

- id: address_and_value_mismatch
  action: review
  weight: 35
  conditions:
    and:
      - {field: billing.country, op: neq_field, other_field: shipping.country}
      - {field: order.amount, op: gt_field, other_field: customer.avg_order_value_30d}

Allowlist plus blocklist

Use two independent lookup sets without copying thousands of values into YAML:

- id: risky_merchant_not_trusted
  action: review
  conditions:
    and:
      - {field: merchant.id, op: in_lookup, lookup: risky_merchants}
      - {field: customer.id, op: not_in_lookup, lookup: trusted_customers}

Regex, CIDR, and time

Detect an automation signature from outside a corporate network during an off-hours interval:

- id: off_hours_external_bot
  action: flag
  weight: 15
  conditions:
    and:
      - {field: http.user_agent, op: regex, value: "(?i)(bot|crawler|headless)"}
      - {field: network.ip, op: ip_not_in_subnet, value: "10.0.0.0/8"}
      - {field: event_ts_ms, op: time_of_day_between, value: [22, 6]}

Regular expressions use RE2 and are compiled once with the ruleset. IPv4 subnet operators do not accept IPv6 values.

Scalar arrays and flags

- id: suspicious_tags_and_capability
  action: flag
  conditions:
    and:
      - {field: event.tags, op: contains_any, values: [automation, scraper, replay]}
      - {field: device.capability_flags, op: flags_any, mask: 12}
      - {field: event.tags, op: array_len_gt, value: 2}

Use contains_all when every configured value is required, intersects for any overlap, and not_intersects to assert no overlap. flags_all requires every bit in the mask; flags_none requires none.

Array of objects

- id: high_risk_item
  action: review
  conditions:
    array_any:
      path: cart.items
      where:
        and:
          - {field: price, op: gte, value: 750}
          - {field: category, op: in, values: [electronics, luxury]}
          - {field: seller.country, op: not_in, values: [US, GB, DE]}

The three predicates must match the same item. array_any does not explode the parent transaction into multiple BlazeRules records.

Velocity plus model score

- id: rapid_high_risk_checkout
  action: block
  weight: 70
  conditions:
    and:
      - window:
          entity_field: customer.id
          function: count
          duration_seconds: 600
          op: gte
          value: 6
      - model_score:
          model: checkout_risk
          features: [order.amount, customer.account_age_days, device.risk_score]
          op: gte
          value: 0.86

Window functions read state from previous completed batches and update state at batch boundaries. Model features must be numeric scalar fields and must match the registered model's input shape.

Vector similarity guardrail

- id: device_cluster_similarity
  action: review
  conditions:
    and:
      - vector_distance:
          dims: [device.embedding_0, device.embedding_1, device.embedding_2, device.embedding_3]
          metric: cosine
          reference: [0.12, -0.04, 0.33, 0.78]
          op: gte
          value: 0.9
      - {field: device.fingerprint, op: not_in_lookup, lookup: trusted_devices}

For cosine, a larger value means greater similarity. dims is a list of numeric scalar fields, not one array-valued field.

Arithmetic ratio

- id: excessive_discount_ratio
  action: review
  conditions:
    op: gt
    expr:
      op: div
      left: order.discount_amount
      right: order.subtotal
    value: 0.6

Custom routing label

decisions:
  default: approve
  precedence: [approve, score, flag, review, promo_abuse_flag, block]

ruleset:
  name: Checkout Routing
  version: "1.0.0"
  rules:
    - id: repeated_promo_use
      action: review
      label: promo_abuse_flag
      reason_code: REPEATED_PROMO_USE
      conditions:
        window:
          entity_field: customer.id
          function: count
          duration_seconds: 3600
          op: gte
          value: 4

action remains a built-in action; label is the custom decision emitted to grouped routing, logs, and the dashboard.

Shadow candidate

- id: candidate_risk_threshold
  action: review
  shadow: true
  conditions: {field: customer.risk_score, op: gte, value: 65}

The rule is evaluated and counted but cannot change the final decision, score, or winning rule.

Next references


Did this page help you?