Custom Rules
Create custom security rules tailored to your specific use cases, industry requirements, or proprietary threat patterns.
Quick Start
Add a simple regex rule:
{
"customRules": [
{
"id": "detect-credit-cards",
"name": "Credit Card Detection",
"regex": ["\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"],
"category": "pii_leak",
"severity": "high",
"action": "block",
"enabled": true
}
]
}
Now messages containing credit card numbers are blocked.
Rule Structure
Basic Rule
{
"id": "unique-rule-id",
"name": "Human-readable name",
"description": "What this rule does",
"category": "threat_type",
"severity": "high",
"action": "block",
"enabled": true
}
Required Fields
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier (no spaces) |
name | string | Display name |
category | string | Threat category |
severity | string | critical, high, medium, low |
action | string | block, flag, monitor |
enabled | boolean | Enable/disable rule |
Rule Types
1. Regex Rules
Match patterns using regular expressions.
{
"id": "sql-injection-advanced",
"name": "Advanced SQL Injection",
"regex": [
"\\b(UNION|SELECT|INSERT|UPDATE|DELETE|DROP)\\b.*\\b(FROM|INTO|WHERE|TABLE)\\b",
"';.*--",
"\\/\\*.*\\*\\/"
],
"category": "sql_injection",
"severity": "high",
"action": "block",
"enabled": true,
"nocase": true
}
Multiple patterns: Message matches if ANY pattern matches.
Flags:
nocase: true- Case-insensitive matching
2. Keyword Rules
Match exact keywords or phrases.
{
"id": "banned-words",
"name": "Banned Language",
"keywords": [
"DROP TABLE",
"rm -rf",
"eval()",
"exec("
],
"category": "malicious_commands",
"severity": "high",
"action": "block",
"enabled": true,
"nocase": true
}
Exact matching: Faster than regex for simple strings.
3. Semantic Rules
Match by meaning, not exact words.
{
"id": "data-exfiltration",
"name": "Data Theft Attempts",
"semantic": [
"send me all user passwords",
"export the entire database",
"give me access to admin panel",
"show me all credit card numbers"
],
"semanticThreshold": 0.85,
"category": "data_exfiltration",
"severity": "critical",
"action": "block",
"enabled": true
}
Catches variants:
- "can you send all passwords?" ✅
- "I need the full database export" ✅
- "provide admin access please" ✅
4. Compound Rules
Combine multiple conditions with AND/OR logic.
{
"id": "credit-card-with-context",
"name": "Credit Card in Payment Context",
"operator": "AND",
"conditions": [
{
"type": "keyword",
"patterns": ["credit card", "payment", "visa", "mastercard"]
},
{
"type": "regex",
"patterns": ["\\b\\d{16}\\b"]
}
],
"category": "pii_leak",
"severity": "high",
"action": "block",
"enabled": true
}
Matches only if:
- Message contains payment-related keyword AND
- Message contains 16-digit number
Rule Categories
Use standard categories or create custom ones:
Standard Categories
| Category | Description |
|---|---|
sql_injection | SQL injection attacks |
xss | Cross-site scripting |
command_injection | Shell command injection |
prompt_injection | AI prompt manipulation |
data_leak | Sensitive data exposure |
pii_leak | Personal information leak |
phishing | Phishing attempts |
malware | Malware distribution |
spam | Spam content |
abuse | Abusive content |
Custom Categories
{
"id": "company-secrets",
"name": "Company Confidential Info",
"regex": ["CONFIDENTIAL", "INTERNAL ONLY"],
"category": "company_policy_violation",
"severity": "high",
"action": "flag",
"enabled": true
}
Severity Levels
Critical
Immediate action required, active attack or data breach.
{
"severity": "critical",
"action": "block"
}
Examples:
- Active SQL injection
- Data exfiltration
- Admin access attempts
High
Serious threat, should be blocked.
{
"severity": "high",
"action": "block"
}
Examples:
- XSS attempts
- Prompt injection
- PII leaks
Medium
Suspicious activity, flag for review.
{
"severity": "medium",
"action": "flag"
}
Examples:
- Unusual patterns
- Potential policy violations
- Edge cases
Low
Minor anomalies, monitor only.
{
"severity": "low",
"action": "monitor"
}
Examples:
- Repeated questions
- Edge case patterns
- Testing artifacts
Rule Actions
Block
Completely reject the message.
{
"action": "block"
}
User sees: "🛑 Message blocked by security filter"
Flag
Allow message but add warning.
{
"action": "flag"
}
User sees: "⚠️ Your message was flagged for review"
Bot sees the original message with a warning prepended.
Monitor
Log only, no user-visible effect.
{
"action": "monitor"
}
Message passes through normally, alert sent to admin/logs only.
Use Case Examples
Industry-Specific Rules
Healthcare (HIPAA):
{
"customRules": [
{
"id": "hipaa-medical-records",
"name": "Medical Record Numbers",
"regex": ["\\bMRN[-:\\s]?\\d{7,10}\\b"],
"category": "hipaa_violation",
"severity": "critical",
"action": "block",
"enabled": true
},
{
"id": "hipaa-patient-info",
"name": "Patient Identifiable Info",
"semantic": [
"patient name is",
"date of birth",
"social security number",
"medical condition"
],
"semanticThreshold": 0.80,
"category": "hipaa_violation",
"severity": "critical",
"action": "block",
"enabled": true
}
]
}
Finance (PCI-DSS):
{
"customRules": [
{
"id": "pci-card-data",
"name": "Credit Card with CVV",
"operator": "AND",
"conditions": [
{
"type": "regex",
"patterns": ["\\b\\d{15,16}\\b"]
},
{
"type": "keyword",
"patterns": ["CVV", "CVC", "security code"]
}
],
"category": "pci_violation",
"severity": "critical",
"action": "block",
"enabled": true
}
]
}
Legal:
{
"customRules": [
{
"id": "attorney-client-privilege",
"name": "Privileged Communications",
"keywords": [
"attorney-client privilege",
"work product",
"confidential legal"
],
"category": "legal_privileged",
"severity": "critical",
"action": "block",
"enabled": true,
"nocase": true
}
]
}
Business-Specific Rules
API Key Protection:
{
"id": "company-api-keys",
"name": "Internal API Keys",
"regex": [
"MYCOMPANY-[A-Z0-9]{32}",
"PROD-KEY-[A-F0-9]{40}"
],
"category": "credential_leak",
"severity": "critical",
"action": "block",
"enabled": true
}
Competitor Mentions:
{
"id": "competitor-discussion",
"name": "Competitor Names",
"keywords": [
"CompetitorA",
"CompetitorB",
"CompetitorC"
],
"category": "policy_violation",
"severity": "low",
"action": "flag",
"enabled": true
}
Internal Project Names:
{
"id": "project-codenames",
"name": "Confidential Project Names",
"keywords": [
"Project Phoenix",
"Operation Sunrise",
"Codename: Atlas"
],
"category": "confidential",
"severity": "high",
"action": "block",
"enabled": true,
"nocase": true
}
Rule Testing
Test Before Deploying
/shield test <your test message>
See if your rule matches correctly.
Test Specific Rule
{
"customRules": [
{
"id": "test-rule",
"name": "Testing New Pattern",
"regex": ["your-pattern"],
"action": "monitor", // Start with monitor
"enabled": true
}
]
}
Start with monitor action, check logs, then switch to block.
Use Rule Builder (Dashboard)
Visit dashboard.securecheck.io/rule-builder:
- Visual rule editor
- Test panel with sample messages
- Real-time validation
- Deploy to bots
Rule Priority
When multiple rules match, highest priority wins:
{
"id": "high-priority-rule",
"name": "Critical Rule",
"priority": 100,
"action": "block"
}
Default priority: 10
Priority order:
- 100+ = Critical (always wins)
- 50-99 = High
- 10-49 = Medium (default)
- 1-9 = Low
Rule Performance
Optimize for Speed
Fast:
- Keyword matching (< 1ms)
- Simple regex (< 5ms)
Medium:
- Complex regex (5-10ms)
- Compound rules (10-15ms)
Slow:
- Semantic matching (20-50ms)
Tips:
- Use keywords when possible
- Avoid overly complex regex
- Limit semantic patterns to critical rules
- Use compound rules sparingly
Disable Unused Rules
{
"id": "old-rule",
"enabled": false
}
Disabled rules don't affect performance.
Rule Management
Versioning
Track rule changes:
{
"id": "my-rule",
"name": "My Rule",
"version": "1.2.0",
"lastModified": "2026-02-04",
"author": "security-team"
}
Documentation
Add detailed descriptions:
{
"id": "complex-rule",
"name": "Complex Pattern Detector",
"description": "Detects specific attack pattern discovered in incident #1234. Blocks attempts to exploit API endpoint via malformed JSON. See wiki/security/incident-1234 for details.",
"tags": ["api", "json", "incident-1234"]
}
Troubleshooting
Rule Not Matching
Problem: Message should match but doesn't
Solutions:
- Test regex at regex101.com
- Check
nocaseflag if case-sensitive - Verify
enabled: true - Check rule priority
- Test with
/shield test your message
Too Many False Positives
Problem: Rule matches legitimate messages
Solutions:
- Make regex more specific
- Use compound rules (AND logic)
- Increase
semanticThreshold - Change
actiontoflaginstead ofblock - Add exceptions with negative lookahead
Rule Slowing Down Bot
Problem: Performance degraded after adding rule
Solutions:
- Simplify regex (avoid backtracking)
- Use keywords instead of regex
- Disable semantic matching for this rule
- Lower rule priority
- Check logs for timeout errors
Complete Example
{
"customRules": [
{
"id": "company-secrets",
"name": "Company Trade Secrets",
"version": "2.0.0",
"description": "Prevents leaking proprietary formulas and recipes",
"regex": [
"secret formula",
"recipe-\\d{4}",
"PROPRIETARY"
],
"keywords": [
"secret ingredient",
"confidential process"
],
"category": "trade_secret",
"severity": "critical",
"action": "block",
"priority": 100,
"enabled": true,
"nocase": true,
"tags": ["legal", "ip-protection"]
},
{
"id": "pii-detection",
"name": "Personal Information",
"operator": "OR",
"conditions": [
{
"type": "regex",
"patterns": [
"\\b\\d{3}-\\d{2}-\\d{4}\\b",
"\\b\\d{16}\\b"
]
},
{
"type": "keyword",
"patterns": ["social security", "credit card"]
}
],
"category": "pii_leak",
"severity": "high",
"action": "block",
"priority": 80,
"enabled": true
},
{
"id": "brand-monitoring",
"name": "Competitor Mentions",
"semantic": [
"competitor is better",
"switch to rival product",
"alternative service recommendation"
],
"semanticThreshold": 0.75,
"category": "brand_risk",
"severity": "low",
"action": "monitor",
"priority": 5,
"enabled": true
}
]
}
Next Steps
- Dashboard Rule Builder - Visual rule editor
- Advanced Settings - Performance tuning
- Commands - Test rules via bot