Skip to content

Risk Classifiers

What Are Classifiers

Classifiers are regex-based detection patterns generated by New-FGRiskClassifiers using an LLM. They match against entity names and descriptions to identify high-risk patterns specific to your organization and industry.

The classifier ruleset has three sections:

  • groups — patterns matching high-risk resource names (e.g., groups granting broad access, privileged roles)
  • users — patterns matching high-risk user names, titles, or UPNs (e.g., admin accounts, service accounts)
  • agents — patterns matching high-risk non-human identity names (e.g., AI agents with mail access, managed identities on internet-facing services)

Generating Classifiers

# Step 1: Create organizational risk profile (public info only)
New-FGRiskProfile -Domain "yourcompany.com" -LLMProvider Anthropic -LLMApiKey $apiKey -ConfigFile '.\Config\mycompany.json'

# Step 2: Generate classifiers from the profile
New-FGRiskClassifiers -ConfigFile '.\Config\mycompany.json'

What New-FGRiskProfile discovers (from public sources only):

  • Industry and regulatory environment
  • Known business systems and applications
  • Organizational structure signals
  • Technology stack indicators

Classifier Structure

Example classifier ruleset JSON:

{
  "groups": [
    {
      "name": "PrivilegedAdminGroups",
      "pattern": "(?i)(global.admin|company.admin|root|superuser|privileged)",
      "score": 25,
      "description": "Groups granting administrative or root access"
    },
    {
      "name": "BroadDataAccess",
      "pattern": "(?i)(all.users|everyone|full.access|unrestricted)",
      "score": 15,
      "description": "Groups with broad data access patterns"
    }
  ],
  "users": [
    {
      "name": "ServiceAccounts",
      "pattern": "(?i)(svc|service|bot|automation|scheduler)[-_.]",
      "score": 10,
      "description": "Service account naming patterns"
    }
  ],
  "agents": [
    {
      "name": "AgentsWithMailAccess",
      "pattern": "(?i)(mail.*agent|email.*bot|inbox.*automation)",
      "score": 20,
      "description": "AI agents with mail/inbox access"
    }
  ]
}

Managing Classifiers

# Export current classifiers to file
Export-FGRiskClassifiers -OutputFile ".\classifiers.json" -ConfigFile '.\Config\mycompany.json'

# Import classifiers from file (e.g., after manual tuning)
Import-FGRiskClassifiers -InputFile ".\classifiers.json" -ConfigFile '.\Config\mycompany.json'

# View classifiers in SQL
Get-FGRiskClassifiers -ConfigFile '.\Config\mycompany.json'

Fallback classifiers

When no custom classifiers have been saved, Invoke-FGRiskScoring falls back to built-in universal classifiers. The Admin tab in the UI always shows which classifiers are currently active.