Skip to main content

Playbook Engine

The Playbook Engine is the decision-making core of Humifortis. It evaluates every authentication event against a prioritized ruleset and determines what security action to enforce — in real time, with zero human intervention.

Think of it as an always-on security analyst that responds in milliseconds.


How It Works

Risk Signals + Risk Level  →  Playbook Engine (first_match)  →  Security Actions

First-Match Evaluation

Rules are evaluated top-down by descending priority (100 → 1). The first rule that matches wins and its actions are executed immediately.

This guarantees:

  • Deterministic — same input always produces the same output
  • Fast — evaluation stops at first match
  • Auditable — you always know which rule fired and why

Rule Anatomy

Each rule has:

FieldPurpose
priorityEvaluation order (higher = evaluated first)
nameHuman-readable identifier
risk_levelOptional — match when risk equals this level
risk_levelsOptional — match when risk is in this list
derived_signalsOptional — ALL listed signals must be present (AND logic)
actionsList of security actions to execute

Example:

- priority: 100
name: "ato_credential_strip"
derived_signals: ["CREDENTIAL_STRIPPING"]
actions: ["DENY", "REVOKE_OTHER_SESSIONS", "NOTIFY_SOC", "LOCK_ACCOUNT"]

Rule Categories

🔴 Critical — ATO & Admin Abuse (Priority 95–100)

The most dangerous threats: account takeover, credential stripping, MFA manipulation, and admin abuse.

RuleSignals RequiredActions
ato_credential_stripCREDENTIAL_STRIPPINGDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC, LOCK_ACCOUNT
ato_consolidationATO_CONSOLIDATIONDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC
mfa_manipulationMFA_TOKEN_MANIPULATIONDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC
admin_abuseADMIN_ABUSE_PATTERNDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC
off_hours_adminAUTH_OFF_HOURS_ADMINDENY, NOTIFY_SOC
critical_anyAny CRITICAL risk levelDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC

Zero tolerance — all critical rules result in immediate denial and session revocation.


🟠 High — Suspicious Activity (Priority 84–90)

Elevated threats requiring strong re-authentication or WebAuthn.

RuleSignals RequiredActions
high_device_countryAUTH_NEW_DEVICE + AUTH_DEVICE_COUNTRY_MISMATCHREQUIRE_WEBAUTHN, REVOKE_OTHER_SESSIONS, NOTIFY_SOC
high_mfa_fatigue_completeMFA_SUCCESS_AFTER_STORMDENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC
high_device_churnAUTH_DEVICE_CHURNREQUIRE_WEBAUTHN, NOTIFY_SOC
high_anon_new_deviceAUTH_ANONYMOUS_NETWORK + AUTH_NEW_DEVICEREQUIRE_WEBAUTHN, NOTIFY_USER
high_anyAny HIGH risk levelREQUIRE_MFA, NOTIFY_USER

WebAuthn (FIDO2) is preferred for high-risk scenarios — it's phishing-resistant.


🟡 Medium — Behavioral Anomalies (Priority 75–80)

Moderate deviations that warrant additional verification.

RuleSignals RequiredActions
medium_mfa_fatigueMFA_FATIGUE_PATTERNDENY, NOTIFY_SOC
medium_device_countryAUTH_DEVICE_COUNTRY_MISMATCHREQUIRE_MFA, NOTIFY_USER
medium_anon_new_deviceAUTH_ANONYMOUS_NETWORK + AUTH_NEW_DEVICEREQUIRE_MFA
medium_new_deviceAUTH_NEW_DEVICEREQUIRE_MFA
medium_anyAny MEDIUM risk levelREQUIRE_MFA

🟢 Low — Minor Flags (Priority 58–60)

Low-confidence anomalies that still benefit from step-up authentication.

RuleSignals RequiredActions
low_new_deviceAUTH_NEW_DEVICEREQUIRE_MFA
low_anon_networkAUTH_ANONYMOUS_NETWORKREQUIRE_MFA
low_new_accountAUTH_NEW_ACCOUNT_NEW_DEVICEREQUIRE_MFA

✅ Allow & Fallback (Priority 1–10)

RuleConditionActions
minimal_low_allowRisk is MINIMAL or LOW (no threat signals)ALLOW
fallbackNothing else matchedREQUIRE_MFA

Secure by default — if no rule explicitly allows, MFA is always required.


Available Actions

ActionWhat It Does
ALLOWPermit the request to proceed
REQUIRE_MFAPrompt for multi-factor authentication
REQUIRE_WEBAUTHNPrompt for FIDO2/WebAuthn verification
REVOKE_OTHER_SESSIONSInvalidate all other active sessions
NOTIFY_USERSend a security alert to the end user
NOTIFY_SOCAlert the Security Operations Center
LOCK_ACCOUNTLock the account until manually reviewed
DENYBlock the current authentication attempt

See Also