IlluminateRisk

← Help center

Run all rules: how findings are produced

May 21, 2026

On a case's Analyze step, Run all rules evaluates both rule lanes in one pass and produces Findings.

The two lanes

Document rules — signal surfacers. Operates on each document attached to the case + the entities extracted from it. Example: "Document contains SSN" fires when at least one document on the case has an entity of type ssn. Currently six baseline rules: SSN present, IBAN present, contact-info concentration, identity-document present, multiple bank statements, physical address present. Severity ranges from info to high.

Structured-data rules — fraud detectors. Operates on rows of attached datasets. Each rule has a target dataset kind (vendor, payroll, gl, bank, audit) and a SQL body that selects suspicious rows. Examples: duplicate vendor records, Benford's law on payment amounts, gaps in check sequence, geo-impossible employee movements. ~60 baseline rules in the catalog, with composites (zz-*) that aggregate findings into risk scores running last.

The result line

After the run, you'll see Documents: N rule(s), M new finding(s). Datasets (attached or none attached): X rule-runs across Y dataset(s), Z finding(s). A "rule-run" is one rule against one dataset — so 5 rules × 3 datasets = 15 rule-runs.

Findings table

Each finding row shows the rule name, severity, the matched documents or rows, and the rule's weight contribution to the case's risk score. Use the severity and origin filters to narrow. Click a finding to dismiss it (a permanent action stored on the row; dismissed findings are excluded from the report deliverable but kept in the database for the audit trail).

Was this useful? Send feedback · Open a ticket