PingOne

Adding composite predictors

Each of the standard risk predictors represents a single risk factor. Use composite predictors to combine a number of risk predictors and factors into a single predictor, such as when you’re concerned about the use of an anonymous network only when a user location anomaly is also reported.

About this task

You decide what level of risk you want to assign when the various conditions defined in the composite predictor are and are not met. Composite predictors can include both the standard predictor types provided and any custom predictors that you have created.

In addition to default and custom predictors, you can include the following risk factors in composite predictors:

  • Country

  • State

  • IP range

  • IP domain organization

  • Internet service provider (ISP)

  • Target resource name (target application)

  • User groups

  • User ID

  • User name

As an example scenario for using composite predictors, you want the Geovelocity predictor to ignore a long list of IP addresses. The allow list can include up to 400 IP addresses for one predictor. If you need more than 400 IP addresses, you can add another Geovelocity predictor, combine the two predictors in a composite predictor (using the All operator), and add the composite predictor in the risk policy.

Steps

  1. In the PingOne console, go to Threat Protection → Predictors.

  2. To add a new predictor, click the icon.

  3. For the predictor type, choose Composite.

  4. In the Display Name field, enter a name for the predictor.

    The display name is used in the Protect dashboard and policy configuration.

  5. In the Compact Name field, enter a short name that is returned in the API response.

    You can’t change the compact name after it’s been saved.

  6. Configure the criteria for the composite predictor.

    Predictor conditions are applied in order from top to bottom.

    1. To determine the conditions for each set of criteria, use All, Any, or None.

      You can also nest sets of conditions.

    2. Select a predictor type or risk factor, select an operator, and enter or select the value:

      • To use one value as the criterion, such as a single country, use the Equals or Not Equals operators.

      • To specify multiple values, such as a group of countries, use the Is In or Not In operators.

      • If you are using User Groups as a criterion, use the Is In or Not In operators to specify any number of groups and enter the names of the PingOne user groups to check what PingOne user groups the user belongs to.

        When you use the Is In or Not In operators to define a set of possible values for a risk factor that takes free text, such as State, provide the values as a comma-separated list.

      • If you are using User ID or User Name as a criterion, you can also use the Contains operator, which checks whether the User ID or User Name includes the specified substring. For example, you could check whether the User ID contains a certain domain name. The Contains operator is not case-sensitive.

    3. Optional: To add additional criteria, click Item to add a new criteria item, or Group to add a new group of criteria.

    4. For Risk Level Equals, select Low, Medium, or High to determine the risk level result when the set of criteria is met.

      Example:

      In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were low, medium, or high risk.

      For example, you can create a composite predictor that specifies that the predictor should get a result of high risk if any of the following conditions are true:

      • IP Reputation is high risk.

      • IP Velocity is high risk.

      • Any three predictors in the policy being evaluated are found to be high risk.

  7. Optional: Add additional conditions to evaluate if the first set of conditions is not met.

    1. Click Else.

    2. Configure the criteria and the risk level.

      You can configure up to three sets of conditions in a composite predictor.

  8. Optional: To configure the risk level result to assign if none of the defined conditions is met, select Low, Medium, or High for Else Return at the bottom of the page.

    The default value for Else Return is None.

    A screen capture of a composite predictor with 2 sets of conditions.
  9. Click Save.

Next steps

After a composite predictor yields a result, you can use the result in the same ways as the results of individual risk predictors:

  • You can assign the predictor a score or weight to be used with the other predictors in your risk policy to calculate a final risk level.

    Weights in risk policies have been deprecated for new PingOne environments but can still be used in existing environments.

  • You can define an override that uses the composite predictor so that in cases where the predictor conditions are met, you can directly assign a final risk level and ignore the other predictors in the risk policy.