Amazon Fraud Detector is no longer open to new customers as of November 7, 2025. For capabilities similar to Amazon Fraud Detector, explore Amazon SageMaker, AutoGluon, and AWS WAF. # Rules A rule is a condition that tells Amazon Fraud Detector how to interpret variable values during a fraud prediction. A rule is part of a detector logic and it consists of the following elements: + **Variable or List** – Variable represents a data element in your event dataset that you want to use in a fraud prediction. A list is a set of input data elements for a variable in your event dataset. Variables used in a rule must be predefined in the evaluated event type and lists used in a rule must be associated with a variable type. For more information, see [Variables](variables.md) and [Lists](lists.md). + **Expression** – An expression in a rule captures your business logic. If you are using variable in your rule, a simple rule expression is constructed using a variable, a comparison operator such as >, <, <=, >=. == , and a value. If you are using a list, rule expression is constructed as list entry, `in`, and the list name. For more information, see [Rule language reference](rule-language-reference.md). You can combine multiple expressions together using `and` and `or`. All expressions must evaluate to a Boolean value (true or false) and be less than 4,000 characters in length. If-else type conditions are not supported. + **Outcome** – An outcome is a response returned by Amazon Fraud Detector when a rule is matched. The outcome indicates the result of a fraud prediction. You can create outcomes for each possible fraud prediction and add them to a rule. For more information, see [Outcomes](outcomes.md). A detector must have at least one associated rule. A rule can have up to 3 lists, and a detector can have up to 30 lists. You create rule as part of the detector creation process. You can also create and associate new rules with an existing detector. # Rule language reference The following section outlines the expression (that is, rule writing) capabilities in Amazon Fraud Detector. ## Using variables You can use any variable defined in the evaluated event type as part of your expression. Use the dollar sign to indicate a variable: ``` $example_variable < 100 ``` ## Using lists You can use any list that is associated with a variable type and is populated with entries as part of your rule expression. Use the dollar sign to indicate a list entry value: ``` $example_list_variable in @list_name ``` ## Comparison, membership, and identity operators Amazon Fraud Detector includes the following comparison operators: >, >=, <, <=,\$1=, ==, in, not in The following are examples: Example: < ``` $variable < 100 ``` Example: in, not in ``` $variable in [5, 10, 25, 100] ``` Example: \$1= ``` $variable != "US" ``` Example: == ``` $variable == 1000 ``` **Operator Tables** | Operator | Amazon Fraud Detector Operator | | --- | --- | | Equal to | == | | Not equal to | \$1= | | Greater than | > | | Less than | < | | Great than or equal to | >= | | Less than or equal to | <= | | In | in | | And | and | | Or | or | | Not | \$1 | ## Basic math You can use basic math operators in your expression (for example, \$1, -, \$1 ,/). A typical use case is when you need to combine variables during your evaluation. In the rule below, we are adding the variable `$variable_1` with `$variable_2`, and checking whether the total is less than 10. ``` $variable_1 + $variable_2 < 10 ``` **Basic Math Table Data** | Operator | Amazon Fraud Detector Operator | | --- | --- | | Plus | \$1 | | Minus | - | | Multiply | \$1 | | Divide | / | | Modulo | % | ## Regular Expression (regex) You can use regex to search for specific patterns as part of your expression. This is particularly useful if you are looking to match a specific string or numerical value for one of your variables. Amazon Fraud Detector only supports match when working with regular expressions (for example, it returns True/False depending on whether the provided string is matched by the regular expression). Amazon Fraud Detector’s regular expression support is based on .matches() in java (using the RE2J Regular Expression library). There are several helpful websites on the internet that are useful for testing different regular expression patterns. In the first example below, we first transform the variable `email` to lowercase. We then check whether the pattern `@gmail.com` is in the `email` variable. Notice the second period is escaped so that we can explicitly check for the string `.com`. ``` regex_match(".*@gmail\.com", lowercase($email)) ``` In the second example, we check whether the variable `phone_number` contains the country code `+1` to determine if the phone number is from the US. The plus symbol is escaped so that we can explicitly check for the string `+1`. ``` regex_match(".*\+1", $phone_number) ``` **Regex Table** | Operator | Amazon Fraud Detector Example | | --- | --- | | Match any string that starts with | regex\$1match("^mystring", \$1variable) | | Match entire string exactly | regex\$1match("mystring", \$1variable) | | Match any character except new line | regex\$1match(".", \$1variable) | | Match any number of characters except new line prior ‘mystring’ | regex\$1match(".\$1mystring", \$1variable) | | Escape special characters | \$1 | ## Checking for missing values Sometimes it is beneficial to check whether the value is missing. In Amazon Fraud Detector this is represented by null. You can do this by using the following syntax: ``` $variable != null ``` Similarly, if you wanted to check whether a value is not present, you could do the following: ``` $variable == null ``` ## Multiple conditions You can combine multiple expressions together using `and` and `or`. Amazon Fraud Detector stops in an `OR` expression when a single true value is found, and it stops in an `AND` when a single false value is found. In the example below, we are checking for two conditions using the `and` condition. In the first statement, we are checking whether variable 1 is less than 100. In the second we check whether variable 2 is not the US. Given the rule uses an `and`, both must be TRUE for the entire condition to evaluate to TRUE. ``` $variable_1 < 100 and $variable_2 != "US" ``` You can use parenthesis to group Boolean operations, as shown following: ``` $variable_1 < 100 and $variable_2 != "US" or ($variable_1 * 100.0 > $variable_3) ``` ## Other expression types ### DateTime functions | Function | Description | Example | | --- | --- | --- | | getcurrentdatetime() | Gives the current time of the rule execution in ISO8601 UTC format. You can use getepochmilliseconds(getcurrentdatetime()) to perform additional operations | getcurrentdatetime() == "2023-03-28T18:34:02Z" | | isbefore(DateTime1, DateTime2) | Returns a boolean(True/False) if the caller DateTime1 is before DateTime2 | isbefore(getcurrentdatetime(), "2019-11-30T01:01:01Z") == "False" isbefore(getcurrentdatetime(), "2050-11-30T01:05:01Z") == "True" | | isafter(DateTime1,DateTime2) | Returns a boolean(True/False) if the caller DateTime1 is after DateTime2 | isafter(getcurrentdatetime(), "2019-11-30T01:01:01Z") == "True" isafter(getcurrentdatetime(), "2050-11-30T01:05:01Z") == "False" | | getepochmilliseconds(DateTime) | Takes a DateTime and returns that DateTime in epoch milliseconds. Useful for performing mathematical operations on the date | getepochmilliseconds("2019-11-30T01:01:01Z") == 1575032461 | ### String Operators | Operator | Example | | --- | --- | | Transform string to uppercase | uppercase(\$1variable) | | Transform string to lowercase | lowercase(\$1variable) | ### Other | Operator | Comment | | --- | --- | | Add a comment | \$1 my comment | # Create rules You can create rules in Amazon Fraud Detector console, using the [create-rule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/frauddetector/create-rule.html) command, using the [CreateRule](https://docs.aws.amazon.com//frauddetector/latest/api/API_CreateRule.html) API, or using the AWS SDK for Python (Boto3). Each rule must contain a single expression that captures your business logic. All expressions must evaluate to a Boolean value (true or false) and be less than 4,000 characters in length. If-else type conditions are not supported. All variables used in the expression must be predefined in the evaluated event type. Similarly, all lists used in the expression must be predefined, associated with a varible type, and be populated with entries. The following example creates a rule `high_risk` for an existing detector `payments_detector`. The rule associates an expression and an outcome `verify_customer` with the rule. **Prerequisites** To follow the steps mentioned below, make sure that you complete the following before you proceed with creating rules: + [Create a detector](create-a-detector.md) + [Create an outcome](create-an-outcome.md) If you are creating a detector, rule, and outcome for your use case, replace the example detector name, rule name, rule expression and outcome name with the names and expressions relevant to your use case. ## Create a new rule in the Amazon Fraud Detector console 1. Open the [AWS Management Console](https://console.aws.amazon.com) and sign in to your account. Navigate to Amazon Fraud Detector. 1. In the left navigation pane, choose **Detectors** and select the detector you created for your use case, example **payments\$1detector**. 1. In the **payments\$1detector** page, choose **Associated rules** tab and then choose **Create rule**. 1. In the **New rule** page, enter the following: 1. In the **Name**, enter a name for the rule, example **high\$1risk** 1. In the **Description - optional**, optionally enter a rule description, example, **This rule captures events with a high ML model score** 1. In the **Expression**, enter a rule expression for your use case using the **Expression quick reference guide**. Example `$sample_fraud_detection_model_insightscore >900` 1. In the **Outcomes**, choose the outcome you created for your use case, example **verify\$1customer**. An outcome is the result from a fraud prediction and is returned if the rule matches during an evaluation. 1. Choose **Save rule** You created a new rule for your detector. This is the version 1 of the rule which Amazon Fraud Detector automatically makes it available for the detector to use. ## Create a rule using the AWS SDK for Python (Boto3) The following example code uses [CreateRule](https://docs.aws.amazon.com//frauddetector/latest/api/API_CreateRule.html) API to create a rule `high_risk` for an existing detector `payments_detector`. The example code also adds a rule expression and an outcome `verify_customer` to the rule. **Prerequisites** To use the example code, make sure that you have complete the following before you proceed with creating rules: + [Create a detector](create-a-detector.md) + [Create an outcome](create-an-outcome.md) If you are creating a detector, rule, and outcome for your use case, replace the example detector name, rule name, rule expression and outcome name with names and expression relevant to your use case. ``` import boto3 fraudDetector = boto3.client('frauddetector') fraudDetector.create_rule( ruleId = 'high_risk', detectorId = 'payments_detector', expression = '$sample_fraud_detection_model_insightscore > 900', language = 'DETECTORPL', outcomes = ['verify_customer'] ) ``` You have created the version 1 of the rule which Amazon Fraud Detector automatically makes it available for the detector to use. # Update rule You can update a rule anytime by adding or updating the rule description, updating the rule expression, or adding or removing the outcome for the rule. When you update a rule a new rule version is created. You can update a rule in the Amazon Fraud Detector console, using the [update-rule-version](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/frauddetector/update-rule-version.html) command, using the [UpdateRuleVersion](https://docs.aws.amazon.com//frauddetector/latest/api/API_UpdateRuleVersion.html) API, or using the using the AWS SDK. After you have updated the rule, make sure to update your detector version to use the new rule version. ## Update rule in the Amazon Fraud Detector console **To update a rule,** 1. Open the [AWS Management Console](https://console.aws.amazon.com) and sign in to your account. Navigate to Amazon Fraud Detector. 1. In the left navigation pane, choose **Detectors**. 1. In the **Detectors** pane, select the detector that is associated with the rule you want to update. 1. In your detector page, choose **Associated rules** tab and select the rule you want to update. 1. In your rule page, choose **Actions** and select **Create version**. 1. Note that the version has changed. Enter updated description, expression, or outcome. 1. Choose **Save new version** ## Update rule using the AWS SDK for Python (Boto3) The following example code uses the [UpdateRuleVersion](https://docs.aws.amazon.com//frauddetector/latest/api/API_UpdateRuleVersion.html) API to update the threshold for the rule `high_risk` from 900 to 950. This rule is associated with the detector `payments_detector`. ``` fraudDetector.update_rule_version( rule = { 'detectorId' : 'payments_detector', 'ruleId' : 'high_risk', 'ruleVersion' : '1' }, expression = '$sample_fraud_detection_model_insightscore > 950', language = 'DETECTORPL', outcomes = ['verify_customer'] ) ```