PingOne

Adding composite predictors

Each of the standard risk predictors represents a single risk factor. Use composite predictors to combine a number of risk predictors and factors into a single predictor, such as when you’re concerned about the use of an anonymous network only when a user location anomaly is also reported.

Condition options

You decide what level of risk you want to assign when the various conditions defined in the composite predictor are and aren’t met. Composite predictors can include both the standard predictor types provided and any custom predictors you created.

In addition to default and custom predictors, you can include the following risk factors in composite predictors:

  • Country

  • State

  • IP

  • IP range

  • IP domain organization

  • Internet service provider (ISP)

  • Rule IDs for the Bot Detection, Traffic Anomaly, and Suspicious Device predictors

  • Target resource name (target application)

  • User groups

  • User ID

  • User name

Example scenario

You want the Geovelocity Anomaly predictor to ignore a long list of IP addresses. The allow list can include up to 400 IP addresses for one predictor. If you need more than 400 IP addresses, you can add another Geovelocity Anomaly predictor, combine the two predictors in a composite predictor (using the All operator), and add the composite predictor in the risk policy.

Steps

  1. In the PingOne admin console, go to Threat Protection > Predictors.

  2. To add a new predictor, click the icon.

  3. For the predictor type, choose Composite.

  4. In the Display Name field, enter a name for the predictor.

    The display name is used in the Threat Protection Dashboard and policy configuration.

  5. In the Compact Name field, enter a short name that’s returned in the API response.

    You can’t change the compact name after it’s been saved.

  6. To determine the conditions for each set of criteria, use All, Any, or None.

    You can also nest sets of conditions.

  7. Select a predictor type or risk factor, select an operator, and enter or select the value.

    • To use one value as the criterion, such as a single country, use the Equals or Not Equals operators.

    • To specify multiple values, such as a group of countries, use the Is In or Not In operators.

    • To use Bot Detection Rule ID, Suspicious Device Rule ID, or Traffic Anomaly Rule ID, use the Is In or Not In operators and select specific rules to create overrides when those rules are triggered in the risk evaluation. This allows for fine-grained control and is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk. Learn more in Predictor rules.

    • If you’re using User Groups as a criterion, use the Is In or Not In operators to specify any number of groups and enter the names of the PingOne user groups to check what PingOne user groups the user belongs to.

      When you use the Is In or Not In operators to define a set of possible values for a risk factor that takes free text, such as State, provide the values as a comma-separated list.

    • If you’re using User ID or User Name as a criterion, you can also use the Contains operator, which checks whether the user ID or user name includes the specified substring. For example, you could check whether the user ID contains a certain domain name. The Contains operator isn’t case-sensitive.

  8. To add additional criteria, click Item to add a new criteria item, or Group to add a new group of criteria.

    If the Item and Group buttons are grayed out, it’s an indication that you’ve reached the maximum number of criteria items that can be included in a composite predictor.

  9. For Risk Level Equals, select Low, Medium, or High to determine the risk level result when the set of criteria is met.

    Example:

    In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were low, medium, or high risk.

    For example, you can create a composite predictor that specifies that the predictor should get a result of high risk if any of the following conditions are true:

    • IP Reputation is high risk.

    • IP Velocity is high risk.

    • Any three predictors in the policy being evaluated are found to be high risk.

  10. (Optional) Add additional conditions to evaluate if the first set of conditions is not met.

    Predictor conditions are applied in order from top to bottom.

  11. Click Else.

    1. Configure the criteria and the risk level.

      You can configure up to three sets of conditions in a composite predictor.

    2. (Optional) To configure the risk level result to assign if none of the defined conditions is met, select Low, Medium, or High for Else Return at the bottom of the page.

      The default value for Else Return is None.
    A screen capture of a composite predictor with 2 sets of conditions.

  12. Click Save.

Example use cases

The following table lists example use cases and how to set up composite predictors to support them:

Use case Operator Filter example Risk level

Deny list for countries

Any

Country Equals United States

Country Equals United Kingdom

High

Allow list for countries

All

Country Not Equals United States

Country Not Equals United Kingdom

Low

Ignore users

Any

User Name Equals testuser123

User Name Equals qa_test

Low

Non-routable IPs

Any

IP Is In 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Medium

Next steps

After a composite predictor yields a result, you can use the result in the same ways as the results of individual risk predictors:

  • You can assign the predictor a score to be used with the other predictors in your risk policy to calculate a final risk level.

  • You can define an override that uses the composite predictor so that in cases where the predictor conditions are met, you can directly assign a final risk level and ignore the other predictors in the risk policy.