In IDSP, is it expected behavior for the TRIGGERED_RISKRULES column in the IA_EVENT table to differ from the RULE_STACK column in the IA_SUSPICIOUS_EVENT table?

Specifically, should the column value TRIGGERED_RISKRULES (the list of triggered rules) match RULE_STACK (the list of rules that triggered the suspicious event)?

| Table               | Column              |
|---------------------+---------------------|
| IA_EVENT            | TRIGGERED_RISKRULES |
| IA_SUSPICIOUS_EVENT | RULE_STACK          |

like:

| EVENT_ID  | EVENT_TIMESTAMP | TRIGGERED_RISKRULES | POSTEVAL_STATUS | SE_STATUS | RULE_STACK                       |
|-----------+-----------------+---------------------+-----------------+-----------+----------------------------------|
| <eventid> | <date>          | Risky Country       | <value>         | <value>   | Device recognition,Risky Country |
| <eventid> | <date>          | Risky Country       | <value>         | <value>   | Device recognition,Risky Country |

IDSP 3.4.8

The only source of truth is then the AI_EVENT table and the corresponding response log.

Both ia_suspicious_events and ia_events work differently.

 IA_SUSPICIOUS_EVENTS table

Logs the risk rules only when it is risky.
And also it logs all the rules that are triggered.
For example, device recognition is also logged as part of the rule stack when the transaction is risky.
This happens even when it's coming from an unknown device and this rule is triggered to reduce the risk score, and not to increase the risk score in cases like unknown devices.

 IA_EVENTS table

It will always log the risk rules as long as they are part of the risk reason in response irrespective of the event being risky or not.