Theme
Security & Fraud Detection
OmniBots includes a built-in security layer that monitors authentication activity, conversation behavior, and network signals in real time. The Security Dashboard surfaces threats, scores risk, and lets you configure detection rules to match your organization's security posture.
Security Dashboard
Navigate to Monitoring > Security to open the dashboard. The page displays a summary of security health alongside recent events and active alerts.
KPI Cards
| Metric | Description |
|---|---|
| Risk Score (Avg) | Average risk score across all evaluated sessions in the last 24 hours (0-100) |
| Blocked Threats | Number of requests blocked by security rules in the selected period |
| Active Alerts | Security events that require review and have not been resolved |
| Flagged Conversations | Conversations where fraud detection identified suspicious behavior |
Security dashboard showing KPI cards for risk score, blocked threats, active alerts, and flagged conversations, with a threat events timeline below
Anomaly Detection Rules
OmniBots ships with pre-built anomaly detection rules that monitor authentication and session patterns. Each rule evaluates incoming events and triggers an alert when conditions are met.
| Rule | What It Detects | Default Threshold |
|---|---|---|
| Brute Force | Repeated failed login attempts from the same source | 5 failures in 10 minutes |
| Impossible Travel | Successful logins from geographically distant locations in a short time window | Two locations more than 500 miles apart within 1 hour |
| Rate Limiting | Unusually high request volume from a single IP or session | 100 requests per minute |
| Credential Stuffing | Multiple failed logins across different accounts from the same IP | 10 distinct accounts in 5 minutes |
| Off-Hours Access | Login activity outside the workspace's configured business hours | Any login outside defined hours |
Anomaly detection rules configuration page showing rule cards with enable/disable toggles, threshold settings, and action level selectors for brute force, impossible travel, and rate limiting rules
TIP
Each rule can be individually enabled, disabled, or tuned. Navigate to Security > Rules to adjust thresholds to match your traffic patterns and reduce false positives.
Conversation Fraud Detection
Beyond authentication monitoring, OmniBots analyzes conversation content in real time to detect manipulation attempts.
| Threat Type | Description |
|---|---|
| PII Extraction | The user attempts to get the bot to reveal personal data belonging to other users or internal records |
| Social Engineering | Conversational patterns designed to trick the bot into bypassing security controls or granting unauthorized access |
| Prompt Injection | The user sends input designed to override the bot's system instructions or alter its behavior |
| Data Leakage | The bot's response inadvertently contains sensitive data such as API keys, internal IDs, or PII from its context |
| Velocity Abuse | The user sends an abnormally high volume of messages in a short time to probe for weaknesses |
When a threat is detected, OmniBots can take one of the following actions depending on severity and your configuration:
- Log -- Record the event for review without interrupting the conversation.
- Warn -- Flag the conversation and notify monitoring staff.
- Block -- Terminate the interaction and prevent further messages from the session.
Risk Scoring
Every evaluated session receives a risk score from 0 to 100.
| Score Range | Risk Level | Meaning |
|---|---|---|
| 0 -- 20 | Low | Normal activity, no indicators of concern |
| 21 -- 50 | Medium | Minor anomalies detected, worth monitoring |
| 51 -- 80 | High | Multiple risk signals present, investigation recommended |
| 81 -- 100 | Critical | Strong indicators of malicious activity, automatic action taken |
The risk score is calculated from multiple signals including IP reputation, behavioral patterns, content analysis, and historical context. Scores above the configured threshold trigger the associated alert action.
WARNING
Sessions with a Critical risk score are automatically blocked by default. If this causes false positives for legitimate users, lower the block threshold or add trusted IPs to the allowlist under Security > IP Management.
IP Reputation
OmniBots evaluates the reputation of connecting IP addresses using integrated threat intelligence providers.
| Signal | Description |
|---|---|
| Known Proxy/VPN | The IP belongs to a known proxy or VPN service |
| Tor Exit Node | The IP is a known Tor network exit point |
| Botnet Membership | The IP has been flagged as part of a botnet |
| Abuse History | The IP has a history of abusive behavior reported to threat databases |
| Geographic Risk | The IP originates from a region flagged in your workspace's risk configuration |
IP reputation data is refreshed periodically and cached to minimize latency on incoming requests.
Viewing Security Events
The Security Events table lists every alert and detection event in reverse chronological order.
| Column | Description |
|---|---|
| Timestamp | When the event occurred |
| Rule / Type | Which rule or detection category triggered the event |
| Source | IP address, user ID, or session ID involved |
| Risk Score | The calculated risk score at the time of the event |
| Action Taken | Whether the event was logged, warned, or blocked |
| Status | Open, investigating, or resolved |
Click any event to see full details including the raw signals, the conversation transcript (if applicable), and related events from the same source.
Configuring Alert Thresholds
Customize detection sensitivity to reduce noise and focus on genuine threats.
- Navigate to Monitoring > Security > Rules.
- Click a rule to open its configuration.
- Adjust the threshold values (e.g., change brute force from 5 to 10 failures).
- Set the action level (log, warn, or block).
- Click Save.
Changes take effect immediately. OmniBots applies the updated thresholds to all incoming events without requiring a restart.
TIP
Start with the default thresholds and monitor the alert volume for a week. If you see too many false positives for a specific rule, increase its threshold gradually rather than disabling it entirely.
Next Steps
- Conversations -- Review flagged conversation transcripts
- Analytics Dashboard -- Correlate security events with traffic patterns
- Workspace Settings -- Configure data retention and session timeout policies