Playbook Engine
The Playbook Engine is the decision-making core of Humifortis. It evaluates every authentication event against a prioritized ruleset and determines what security action to enforce — in real time, with zero human intervention.
Think of it as an always-on security analyst that responds in milliseconds.
How It Works
Risk Signals + Risk Level → Playbook Engine (first_match) → Security Actions
First-Match Evaluation
Rules are evaluated top-down by descending priority (100 → 1). The first rule that matches wins and its actions are executed immediately.
This guarantees:
- Deterministic — same input always produces the same output
- Fast — evaluation stops at first match
- Auditable — you always know which rule fired and why
Rule Anatomy
Each rule has:
| Field | Purpose |
|---|---|
priority | Evaluation order (higher = evaluated first) |
name | Human-readable identifier |
risk_level | Optional — match when risk equals this level |
risk_levels | Optional — match when risk is in this list |
derived_signals | Optional — ALL listed signals must be present (AND logic) |
actions | List of security actions to execute |
Example:
- priority: 100
name: "ato_credential_strip"
derived_signals: ["CREDENTIAL_STRIPPING"]
actions: ["DENY", "REVOKE_OTHER_SESSIONS", "NOTIFY_SOC", "LOCK_ACCOUNT"]
Rule Categories
🔴 Critical — ATO & Admin Abuse (Priority 95–100)
The most dangerous threats: account takeover, credential stripping, MFA manipulation, and admin abuse.
| Rule | Signals Required | Actions |
|---|---|---|
| ato_credential_strip | CREDENTIAL_STRIPPING | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC, LOCK_ACCOUNT |
| ato_consolidation | ATO_CONSOLIDATION | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
| mfa_manipulation | MFA_TOKEN_MANIPULATION | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
| admin_abuse | ADMIN_ABUSE_PATTERN | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
| off_hours_admin | AUTH_OFF_HOURS_ADMIN | DENY, NOTIFY_SOC |
| critical_any | Any CRITICAL risk level | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
Zero tolerance — all critical rules result in immediate denial and session revocation.
🟠 High — Suspicious Activity (Priority 84–90)
Elevated threats requiring strong re-authentication or WebAuthn.
| Rule | Signals Required | Actions |
|---|---|---|
| high_device_country | AUTH_NEW_DEVICE + AUTH_DEVICE_COUNTRY_MISMATCH | REQUIRE_WEBAUTHN, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
| high_mfa_fatigue_complete | MFA_SUCCESS_AFTER_STORM | DENY, REVOKE_OTHER_SESSIONS, NOTIFY_SOC |
| high_device_churn | AUTH_DEVICE_CHURN | REQUIRE_WEBAUTHN, NOTIFY_SOC |
| high_anon_new_device | AUTH_ANONYMOUS_NETWORK + AUTH_NEW_DEVICE | REQUIRE_WEBAUTHN, NOTIFY_USER |
| high_any | Any HIGH risk level | REQUIRE_MFA, NOTIFY_USER |
WebAuthn (FIDO2) is preferred for high-risk scenarios — it's phishing-resistant.
🟡 Medium — Behavioral Anomalies (Priority 75–80)
Moderate deviations that warrant additional verification.
| Rule | Signals Required | Actions |
|---|---|---|
| medium_mfa_fatigue | MFA_FATIGUE_PATTERN | DENY, NOTIFY_SOC |
| medium_device_country | AUTH_DEVICE_COUNTRY_MISMATCH | REQUIRE_MFA, NOTIFY_USER |
| medium_anon_new_device | AUTH_ANONYMOUS_NETWORK + AUTH_NEW_DEVICE | REQUIRE_MFA |
| medium_new_device | AUTH_NEW_DEVICE | REQUIRE_MFA |
| medium_any | Any MEDIUM risk level | REQUIRE_MFA |
🟢 Low — Minor Flags (Priority 58–60)
Low-confidence anomalies that still benefit from step-up authentication.
| Rule | Signals Required | Actions |
|---|---|---|
| low_new_device | AUTH_NEW_DEVICE | REQUIRE_MFA |
| low_anon_network | AUTH_ANONYMOUS_NETWORK | REQUIRE_MFA |
| low_new_account | AUTH_NEW_ACCOUNT_NEW_DEVICE | REQUIRE_MFA |
✅ Allow & Fallback (Priority 1–10)
| Rule | Condition | Actions |
|---|---|---|
| minimal_low_allow | Risk is MINIMAL or LOW (no threat signals) | ALLOW |
| fallback | Nothing else matched | REQUIRE_MFA |
Secure by default — if no rule explicitly allows, MFA is always required.
Available Actions
| Action | What It Does |
|---|---|
ALLOW | Permit the request to proceed |
REQUIRE_MFA | Prompt for multi-factor authentication |
REQUIRE_WEBAUTHN | Prompt for FIDO2/WebAuthn verification |
REVOKE_OTHER_SESSIONS | Invalidate all other active sessions |
NOTIFY_USER | Send a security alert to the end user |
NOTIFY_SOC | Alert the Security Operations Center |
LOCK_ACCOUNT | Lock the account until manually reviewed |
DENY | Block the current authentication attempt |
See Also
- Policy Configuration — thresholds, sensitivity, enforcement modes
- Derived Signals — signals the playbook operates on
- Keycloak Connector — how playbook decisions are enforced in Keycloak