Skip to main content

Actions

In every scenario, an action name is specified and reported when its conditions are met. This section explains how actions are triggered and their purpose within the platform.

Triggering Actions

A scenario includes a local query, and may optionally include a global context query. When Contextal Platform processes input data, it generates a graph for every input object, which is used by the local query. The scenario is considered successful if the query matches any structure within the graph. If the scenario uses a global context query, this query must match a specified number of recent global graphs for it to be positively evaluated. Only when all conditions are met will the action (or multiple actions if there are several matching scenarios) be reported back to the platform caller for the given input object.

Action Names

Action names are defined in every scenario as arbitrary strings. Contextal Platform doesn't enforce a specific format, but the software calling the platform must properly interpret reported actions. If you are using official integrations, it's recommended to stick to the default set of action names to avoid custom handling.

Default Actions

The default action names used by Contextal Platform, their priority, and expected behaviors are as follows:

  • ALLOW: If this action is triggered, the input object will be marked as clean. It is primarily used for whitelisting and overriding false positives. This action has the highest priority and can override other actions.

  • BLOCK: This action indicates that the object should be definitively blocked, rejected, or not delivered to its intended recipient. It can be overridden by ALLOW (although still would be assigned to the object).

  • QUARANTINE: The object is flagged as suspicious or potentially malicious, and should be quarantined for further inspection.

  • ALERT: The object is suspicious or unwanted, but no direct action will be taken. The event will be recorded for review.

  • SPAM: This action marks the object as spam. It may be ignored by integrations that are not related to email.

note

The above list defines how specific actions are handled by Contextal Platform integrations, but it may not necessarily apply to third-party or customized use cases.