This page is a reference for every building block available when defining rule conditions and actions. For a guided walkthrough of the Rule Builder, see Building rules.
Condition logic
Conditions are organized into a tree of groups:
all (AND) — Every condition in the group must match.any (OR) — At least one condition in the group must match.
At the top level, a rule can have multiple paths connected with OR logic. If any path matches, the rule triggers. Within each path, you nest all / any groups to express complex boolean logic.
{
"any": [
{
"all": [
{ "entity": "transaction", "property": "amount", "operator": "greaterThan", "value": 50000 },
{ "entity": "client", "property": "riskTier", "operator": "equal", "value": "HIGH" }
]
},
{
"all": [
{ "entity": "transaction", "property": "amount", "operator": "greaterThan", "value": 100000 }
]
}
]
}
Entities
Each condition targets one of four entities:
| Entity | Key | Description |
|---|
| Transaction | transaction | The transaction being evaluated — amount, type, currency, status, timestamps. |
| Client | client | The customer associated with the transaction — risk tier, country, KYC status. |
| Wallet | wallet | Blockchain wallets involved in the transaction — address, chain, labels. |
| Bank account | bankAccount | Fiat bank accounts involved — account number, bank country, routing info. |
Entity relationships
For non-transaction entities, you can specify which participant the condition applies to:
| Relationship | Description |
|---|
all | Matches if the condition is true for any participant (sender or receiver). |
sender | Only evaluate the sending party. |
receiver | Only evaluate the receiving party. |
Operators
Comparison operators
| Operator | Description | Example |
|---|
equal | Exact match | amount equal to 10000 |
notEqual | Not equal | status not equal to COMPLETED |
greaterThan | Strictly greater | amount greater than 50000 |
greaterThanInclusive | Greater or equal | amount greater than or equal to 50000 |
lessThan | Strictly less | amount less than 100 |
lessThanInclusive | Less or equal | amount less than or equal to 1000 |
Array operators
| Operator | Description | Example |
|---|
in | Value is in the list | country in ["US", "GB", "DE"] |
notIn | Value is not in the list | type not in ["INTERNAL_TRANSFER"] |
contains | Field contains the value | tags contains "high-risk" |
doesNotContain | Field does not contain the value | tags does not contain "whitelisted" |
Range operator
| Operator | Description | Example |
|---|
between | Value falls within a range (inclusive) | amount between [1000, 50000] |
Aggregation operators
Aggregation conditions compute a value over a set of historical transactions before comparing with the operator and value. This enables velocity checks, cumulative thresholds, and statistical analysis.
| Operator | Description |
|---|
sum | Total of the aggregated property. |
count | Number of matching transactions. |
avg | Average value. |
min | Minimum value. |
max | Maximum value. |
median | Median value. |
stddev | Standard deviation. |
percentile | Value at a given percentile (requires aggregationPercentile field). |
countDistinct | Number of distinct values for the aggregated property. |
Aggregation fields
When using an aggregation, provide these additional fields on the condition:
| Field | Required | Description |
|---|
aggregationOperator | Yes | One of the operators above. |
aggregationProperty | Yes | The field to aggregate (e.g., amount, convertedAmount). |
aggregationTimeType | Yes | The time window type (see below). |
aggregationTimeValue | Conditional | The numeric value for the window (required for in_the_last, after, before). |
aggregationTimePeriod | Conditional | The time unit (required when aggregationTimeValue is set). |
aggregationFilters | No | Array of sub-conditions to narrow which transactions are aggregated. |
aggregationPercentile | Conditional | The percentile target (required when operator is percentile). |
Time windows
Time windows define the lookback period for aggregation conditions.
Time types
| Type | Description |
|---|
all_time | All historical transactions with no time boundary. |
in_the_last | Rolling window from now minus the specified period. |
after | Transactions after a point in time. |
before | Transactions before a point in time. |
between | Transactions within a date range. |
Time periods
Used with aggregationTimeValue to define the window length:
| Period | Example |
|---|
minutes | Last 30 minutes |
hours | Last 24 hours |
days | Last 7 days |
weeks | Last 2 weeks |
months | Last 3 months |
years | Last 1 year |
Example: velocity check
“Count of deposits in the last 24 hours exceeds 10”:
{
"entity": "transaction",
"aggregationOperator": "count",
"aggregationProperty": "id",
"aggregationTimeType": "in_the_last",
"aggregationTimeValue": 24,
"aggregationTimePeriod": "hours",
"aggregationFilters": [
{ "property": "type", "operator": "equal", "value": "DEPOSIT" }
],
"operator": "greaterThan",
"value": 10
}
Aggregation filters
Filters narrow which transactions are included in the aggregation. Each filter is a simple condition with property, operator, and value — the same comparison operators listed above apply.
Common filter patterns:
- Filter by transaction type:
{ "property": "type", "operator": "equal", "value": "WITHDRAW" }
- Filter by currency:
{ "property": "currency", "operator": "in", "value": ["USD", "EUR"] }
- Filter by direction:
{ "property": "direction", "operator": "equal", "value": "OUTGOING" }
Actions
Actions define what happens when a rule matches. Each rule must have at least one action.
CREATE_ALERT
Creates a compliance alert for analyst review.
| Config field | Required | Description |
|---|
category | Yes | Alert category. Use TRANSACTION_MONITORING for TM rules. |
priority | Yes | LOW, MEDIUM, or HIGH. |
status | Yes | Initial alert status. Typically NEW. |
{
"type": "CREATE_ALERT",
"config": {
"category": "TRANSACTION_MONITORING",
"priority": "HIGH",
"status": "NEW"
}
}
HALT_TRANSACTION
Freezes the transaction until an analyst resolves the associated alert. Always used alongside CREATE_ALERT.
{
"type": "HALT_TRANSACTION",
"config": {}
}
A rule with HALT_TRANSACTION blocks settlement on every match. Reserve this for high-confidence patterns where false positives are rare.
Common rule patterns
Large transaction detection
Alert when a single transaction exceeds a threshold:
{
"all": [
{
"entity": "transaction",
"property": "amount",
"operator": "greaterThanInclusive",
"value": 100000
}
]
}
Velocity check (structuring detection)
Alert when a customer makes more than 5 deposits under $10,000 in 24 hours:
{
"all": [
{
"entity": "transaction",
"aggregationOperator": "count",
"aggregationProperty": "id",
"aggregationTimeType": "in_the_last",
"aggregationTimeValue": 24,
"aggregationTimePeriod": "hours",
"aggregationFilters": [
{ "property": "type", "operator": "equal", "value": "DEPOSIT" },
{ "property": "amount", "operator": "lessThan", "value": 10000 }
],
"operator": "greaterThan",
"value": 5
}
]
}
High-risk customer with large withdrawal
Combine entity conditions for targeted detection:
{
"all": [
{
"entity": "client",
"property": "riskTier",
"operator": "equal",
"value": "HIGH"
},
{
"entity": "transaction",
"property": "type",
"operator": "equal",
"value": "WITHDRAW"
},
{
"entity": "transaction",
"property": "amount",
"operator": "greaterThanInclusive",
"value": 50000
}
]
}
Cumulative threshold
Alert when total outgoing volume exceeds $200,000 in 30 days:
{
"all": [
{
"entity": "transaction",
"aggregationOperator": "sum",
"aggregationProperty": "amount",
"aggregationTimeType": "in_the_last",
"aggregationTimeValue": 30,
"aggregationTimePeriod": "days",
"aggregationFilters": [
{ "property": "direction", "operator": "equal", "value": "OUTGOING" }
],
"operator": "greaterThanInclusive",
"value": 200000
}
]
}
