Client asks for list of implicit rules not visible in Backoffice
Implicit Rule List
| Rule id | Rule description (as appears in CM) | Detailed description & comments |
| rsa.implicit.0000001 | RSA Implicit Case Sampling | Old case sampling rule - depreceated |
| rsa.implicit.0000002 | RSA Implicit Case Sampling | Manual case sampling - an RSA fraud analyst decided to sample a case |
| rsa.implicit.0000011 | RSA Implicit Back Coloring - IP | Back coloring from fraud confirmed - linked based on an IP - distance of 1 = either same IP or same user id as previously confirmed fraud |
| rsa.implicit.0000012 | RSA Implicit Back Coloring - IP | Back coloring from fraud confirmed - linked based on an IP - distance of 2 = fraud confirmed user - other transaction on same user coming from a new device - then the current transaction has the same IP as the other transaction |
| rsa.implicit.0000021 | RSA Implicit Back Coloring - device fp | Back coloring from fraud confirmed - linked based on an device fingerprint #1 - distance of 1 = same device fingerprint #1 as fraud confirmed |
| rsa.implicit.0000022 | RSA Implicit Back Coloring - device fp | Back coloring from fraud confirmed - linked based on an device fingerprint #2 - distance of 1 = same device fingerprint #2 as fraud confirmed |
| rsa.implicit.0000023 | RSA Implicit Back Coloring - device fp | Back coloring from fraud confirmed - linked based on an device fingerprint #3 - distance of 1 = same device fingerprint #3 as fraud confirmed |
| rsa.implicit.0000030 | RSA Implicit EFN | Back coloring from client supplied EFN list - same IP as client supplied bad IP list |
| rsa.implicit.0000031 | RSA Implicit EFN IP | Back coloring from EFN IP list - IP was reported into the EFN (so it was reported as fraud on another client of RSA), but only after the transaction was conducted on the current client |
| rsa.implicit.0000032 | RSA Implicit EFN payee | Back coloring from EFN payee list - payee was reported into the EFN (so it was reported as fraud on another client of RSA), but only after the transaction was conducted on the current client |
| rsa.implicit.0000033 | RSA Implicit EFN device fp | Back coloring from EFN device fingerprint list - device fingerprint was reported into the EFN (so it was reported as fraud on another client of RSA), but only after the transaction was conducted on the current client |
| rsa.implicit.0000040 | RSA Implicit Bait | Bait user tried to login - automatically marked as fraud |
| rsa.implicit.00001nn | RSA Implicit Case Sampling - nn users within mm minutes | NN users logged in on the same IP address within mm minutes. All of those users came from a small number of device prints, and all of them did not have history of coming from the IP print and/or the device print |
| rsa.implicit.00002nn | RSA Implicit Case Sampling - nn users within mm minutes | NN users logged in on the same device fingerprint within mm minutes. All of them did not have history of coming from the IP print and/or the device print |
| rsa.implicit.0000800 | RSA Implicit Cross Channel | Offline cross channel fraud model |
0000102 ? RSA IP Sampling - 2 users on same IP
0000103 ? RSA IP Sampling - 3 users on same IP
0000104 ? RSA IP Sampling - 4 users on same IP
0000105 ? RSA IP Sampling - 5+ users on same IP
0000302 ? RSA Cookie Sampling - 2 users on same Cookie
0000303 ? RSA Cookie Sampling - 3 users on same Cookie
0000304 ? RSA Cookie Sampling - 4 users on same Cookie
0000305 ? RSA Cookie Sampling - 5+ users on same Cookie
0001105 ? RSA New Account IP Sampling - 5+ users on same IP
All the above are implicit rules with similar logic: nn users logged in on the same IP address/Cookie within mm minutes. All of those users came from a small number of device prints, and all of them did not have history of coming from the IP print and/or the device print.
Related Articles
What are the requirements for inter-component sharing data from RSA Web Threat Detection? Number of Views Installer prerequisite fails on files that are not relevant to the RSA Governance & Lifecycle deployment Number of Views Incorrect setting for Oracle PARALLEL_DEGREE_POLICY causes issue in RSA Identity Governance & Lifecycle Number of Views Looping fulfillment workflows cause multiple issues in SecurID Governance & Lifecycle Number of Views Understanding RSA Authentication Manager logging fields when they are forwarded to syslog Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
