Using Guard Manager

New
  • 6 minute(s) read
Prev Next

Guard Manager in Narmi Command is your dedicated tool for investigating log-in events. It provides your staff with full visibility into log-in details, customer information, and outcomes, enabling them to troubleshoot issues and respond to high-risk activity. Importantly, Guard Manager is an investigation tool, not a processing queue like the ACH Manager or Wire Manager. Your institution can decide which log-in events require manual review and how often.

There are two main ways your staff can use Guard Manager:

  • Your team gets a call about a user being blocked, and a staff member will need to investigate and take action.

  • Staff members review blocked log-ins on a regular cadence according to your institution’s policies.

Guard Manager Permissions

To use Guard Manager, your staff must have the following permissions. To set permissions, from the Narmi Command sidebar, select Staff members > Roles.

  • Can view device evaluation – To have read-only access to Guard Manager

  • Can change device evaluation – To have edit access to Guard Manager

Investigation and Actions

Staff members can investigate events, take action, and add users to lists in Guard Manager. Staff can add and remove users from lists in Alloy.

Investigate Events

To investigate an event:

  1. From the Narmi Command sidebar, select Guard.

    Aqua Bank Guard interface displaying successful login events and user details.

    The page opens to a customer list of log-in events, including the following information:

    • Customer/Member – The customer or member’s name

    • Event – The log-in attempt, either:

      • Login success – The user was able to successfully log in to Narmi Banking without multi-factor authentication (MFA) and was not stopped by Alloy.

      • MFA success – The user successfully logged in to Narmi Banking using MFA and was not stopped by Alloy.

      • Login blocked by evaluation – The user's login attempt was blocked due to Alloy's evaluation.

    • Outcome – The event result, either:

      • Accepted – No consequence

      • Blocked – Blocked from Narmi Banking, but they can still attempt to log in and potentially get access

      • Blocked and locked – Blocked from Narmi Banking, and their account is locked, so they cannot attempt to log in

    • Device ID – The identifier for a specific digital device

    • User AgentThe software application acting on behalf of a user to access web content

    • IP Address – The device IP address

    • Date –  The date of the log-in event

  2. Select the row of the customer you need to investigate. A side panel appears with event details. For blocked users, this includes the Outcome reason, or why the user was blocked (e.g., "high activity device behavior," "device ID on deny list").

    Login attempt blocked for Mariana Pajon due to high user count on device.

    From the details panel, you can review the following:

    • View all log-in events associated with a specific device ID or user agent – This includes which other users the device has accessed, to help confirm fraudulent patterns or identify other potentially compromised user accounts. In the Event details section, hover over the Device ID or User agent and select the magnifying glass icon that appears. A page of search results appears, displaying any other log-in events that matched the specific device ID and/or user agent.

    • View the user’s profile and their recent activity – In the User details section, select the user’s name, which opens their user profile.


      If your institution has enabled the enhanced user profile, scroll to the Recent activity section to view recent events for the user.

      Account summary for Lucas Styles showing balance and recent activity details.

    • View all outcome reasons and tags associated with this event – In the Event history section, select View details to open a dialog box.

      Event history showing blocked tags and a login event with MFA details.

      Your institution defines the outcome reasons and tags in Alloy,  and we can provide a starting template for you to use. Select View in Alloy to sign in to Alloy and open the detailed evaluation, which includes the user's full profile and relevant context.

      Blocked message indicating high user count for device with additional information and action link.

      Outcome reasons and tags include the following information:

      • INFO – An information tag without a specified risk level, for example, “Incognito mode.”

      • HI – A high-risk device signal. This typically blocks logins, such as those from bad bots or developer tools, for example, “High suspect score.”

      • MED – A medium-risk device signal. This will not block logins, but it may cause a transaction to be flagged, for example, “New device for user.”

      • LO – A signal that reduces the risk for a device, such as a device previously seen for that user or that has been added to a device allow-list, for example, “Returning device for user (10+ days)”

      • R# – This designates an outcome reason/rule, for example, “R6 High-risk device indicators.”

Take Action on Events

Once your staff has reviewed the event details, they can take action to reverse or enforce decisions on events. For example, if a user is accepted but calls in later to deem the log-in attempt as fraudulent, a staff member can report the event as fraudulent and take appropriate action. On the other hand, if a legitimate user is blocked due to legitimate reasons (e.g., new IP, traveling, etc.) a staff user may want to mark it as benign and put them on the allowlist so they don't have issues logging in.

From the detail panel, select the three dots menu for options.

The following actions are available:

  • Report benign – Select this option for false positives. For example, a shared branch laptop may have been flagged due to an unusually high level of activity.
    You can select either:

    • Add to IP address allow list

    • Add to device ID allow list

    Note: Guard Manager blocks users from being added to the deny list if they are already on the allow list, and vice versa.

    Form for reporting benign items with options for additional information and submission.

    Once marked as benign, a banner appears at the top of the detail panel showing the name of the staff member who reviewed it.

    MFA success notification indicating benign report with option to view details.

    Select View details to open a dialog box with additional information. Select View in Alloy to open the event details in Alloy.

    Notification indicating Giselle Magat reported an item as benign and added to allow list.

  • Report fraudulent – Select this option for confirmed fraudulent events. You can select either:

    • Add to IP address deny list – This prevents traffic originating from the specified IP address.

    • Add to device ID deny list –  This prevents the device from logging into any user account.

    • Lock customer account – Immediately lock the user’s account in the event of severe high-risk incidents.

    Form to report fraud with options to deny access or lock accounts.

    Once marked as fraud, a banner appears at the top of the detail panel showing the name of the staff member who reviewed it.

    Login successful message with a report of fraud and a link to view details.

    Select View details to open a dialog box with additional information. Select View in Alloy to open the event details in Alloy.

    Notification of reported fraud and addition to the IP address deny list.

  • Mark as reviewed – Select this option when staff have investigated the event, but there is insufficient evidence to confirm whether it was fraudulent or benign. A dialog box appears to enter additional information, such as an explanation for the decision. Select Submit.

    Interface for marking a review with an option to add additional information.

    Once marked as reviewed, a banner appears at the top of the detail panel showing the name of the staff member who reviewed it.

    MFA success notification indicating a user marked as reviewed with a link to details.

    Select View details to open a dialog box with additional information. Select View in Alloy to open the event details in Alloy.

    Notification indicating review status and additional information about fraud determination.

Once action has been taken, a checkmark appears next to the Event in Guard Manager to indicate that no further action is needed by colleagues.

User Laura Muir successfully completed multi-factor authentication on November 4, 2025.

Manage Lists in Alloy

You can manage allow and deny lists directly in Alloy, including adding or removing users from those lists. To access lists in Alloy, go to Settings > Lists and select the edit icon.

Settings page displaying allow and deny lists with creation dates and entity counts.

In Guard Manager, you cannot change events that were previously reported as either fraudulent or benign. But if a new log-in event occurs for a device ID or IP address that was previously reported as either fraudulent or benign, you can navigate to the new event to update the list. From Guard Manager, select the event row and on the detail panel of the new event, select the three dots > Report benign or Report fraudulent. In the dialog box that appears, select the link to open the list in Alloy and proceed to manually remove the device ID or IP address from the list.

Notification about an IP address on the deny list with a link to view details.

Related articles