--- title: Adding composite predictors description: Use PingOne Protect composite predictors to combine multiple risk predictors and factors into a single predictor. component: pingone page_id: pingone:threat_protection_using_pingone_protect:p1_protect_adding_composite_predictors canonical_url: https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_adding_composite_predictors.html revdate: March 5, 2025 section_ids: condition-options: Condition options example-scenario: Example scenario steps: Steps example: Example: p1_protect_composite_use_cases: Example use cases next-steps: Next steps --- # Adding composite predictors Each of the standard risk predictors represents a single risk factor. Use composite predictors to combine a number of risk predictors and factors into a single predictor, such as when you're concerned about the use of an anonymous network only when a user location anomaly is also reported. ## Condition options You decide what level of risk you want to assign when the various conditions defined in the composite predictor are and aren't met. Composite predictors can include both the standard predictor types provided and any custom predictors you created. In addition to default and custom predictors, you can include the following risk factors in composite predictors: * Country * State * IP * IP range * IP domain organization * Internet service provider (ISP) * Rule IDs for the Bot Detection, Traffic Anomaly, and Suspicious Device predictors * Target resource name (target application) * User groups * User ID * User name ## Example scenario You want the Geovelocity Anomaly predictor to ignore a long list of IP addresses. The allow list can include up to 400 IP addresses for one predictor. If you need more than 400 IP addresses, you can add another Geovelocity Anomaly predictor, combine the two predictors in a composite predictor (using the **All** operator), and add the composite predictor in the risk policy. ## Steps 1. In the PingOne admin console, go to **Threat Protection > Predictors**. 2. To add a new predictor, click the **[icon: plus, set=fa]**icon. 3. For the predictor type, choose **Composite**. 4. In the **Display Name** field, enter a name for the predictor. The display name is used in the Threat Protection Dashboard and policy configuration. 5. In the **Compact Name** field, enter a short name that's returned in the API response. | | | | - | -------------------------------------------------------- | | | You can't change the compact name after it's been saved. | 6. To determine the conditions for each set of criteria, use **All**, **Any**, or **None**. You can also nest sets of conditions. 7. Select a predictor type or risk factor, select an operator, and enter or select the value. * To use one value as the criterion, such as a single country, use the **Equals** or **Not Equals** operators. * To specify multiple values, such as a group of countries, use the **Is In** or **Not In** operators. * To use **Bot Detection Rule ID**, **Suspicious Device Rule ID**, or **Traffic Anomaly Rule ID**, use the **Is In** or **Not In** operators and select specific rules to create overrides when those rules are triggered in the risk evaluation. This allows for fine-grained control and is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk. Learn more in [Predictor rules](p1_protect_predictor_rules.html). * If you're using **User Groups** as a criterion, use the **Is In** or **Not In** operators to specify any number of groups and enter the names of the PingOne user groups to check what PingOne user groups the user belongs to. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When you use the **Is In** or **Not In** operators to define a set of possible values for a risk factor that takes free text, such as **State**, provide the values as a comma-separated list. | * If you're using **User ID** or **User Name** as a criterion, you can also use the **Contains** operator, which checks whether the user ID or user name includes the specified substring. For example, you could check whether the user ID contains a certain domain name. The **Contains** operator isn't case-sensitive. 8. To add additional criteria, click **[icon: plus, set=fa]Item** to add a new criteria item, or **[icon: plus, set=fa]Group** to add a new group of criteria. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If the **[icon: plus, set=fa]Item** and **[icon: plus, set=fa]Group** buttons are grayed out, it's an indication that you've reached the maximum number of criteria items that can be included in a composite predictor. | 9. For **Risk Level Equals**, select **Low**, **Medium**, or **High** to determine the risk level result when the set of criteria is met. ### Example: In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were low, medium, or high risk. For example, you can create a composite predictor that specifies that the predictor should get a result of high risk if any of the following conditions are true: * **IP Reputation** is high risk. * **IP Velocity** is high risk. * Any three predictors in the policy being evaluated are found to be high risk. 10. (Optional) Add additional conditions to evaluate if the first set of conditions is not met. | | | | - | ------------------------------------------------------------- | | | Predictor conditions are applied in order from top to bottom. | 11. Click **[icon: plus, set=fa]Else**. 1. Configure the criteria and the risk level. | | | | - | -------------------------------------------------------------------------- | | | You can configure up to three sets of conditions in a composite predictor. | 2. (Optional) To configure the risk level result to assign if none of the defined conditions is met, select **Low**, **Medium**, or **High** for **Else Return** at the bottom of the page. | | | | - | -------------------------------------------------- | | | The default value for **Else Return** is **None**. | ![A screen capture of a composite predictor with 2 sets of conditions.](_images/pwu1695069121911.png) 12. Click **Save**. ## Example use cases The following table lists example use cases and how to set up composite predictors to support them: | Use case | Operator | Filter example | Risk level | | ------------------------ | -------- | ------------------------------------------------------------------------- | ---------- | | Deny list for countries | **Any** | **Country Equals United States****Country Equals United Kingdom** | **High** | | Allow list for countries | **All** | **Country Not Equals United States****Country Not Equals United Kingdom** | **Low** | | Ignore users | **Any** | **User Name Equals** `testuser123`**User Name Equals** `qa_test` | **Low** | | Non-routable IPs | **Any** | **IP Is In** `10.0.0.0/8,172.16.0.0/12,192.168.0.0/16` | **Medium** | ## Next steps After a composite predictor yields a result, you can use the result in the same ways as the results of individual risk predictors: * You can assign the predictor a score to be used with the other predictors in your risk policy to calculate a final risk level. * You can define an override that uses the composite predictor so that in cases where the predictor conditions are met, you can directly assign a final risk level and ignore the other predictors in the risk policy.