PingOne

Configuring predictors

You can configure and edit details and configuration settings for out-of-the-box, custom, and composite predictors at any time.

About this task

Most predictor types allow you to define a Fallback Predictor Decision Value, which is the risk level that should be assigned to the predictor if there is insufficient information to calculate the risk level. This can occur for a number of reasons, such as:

  • The predictor is still in the training period.

  • The basic information required (for example, the location of the user) can’t be obtained.

To configure and edit a predictor:

Steps

  1. In the PingOne console, go to Threat Protection → Predictors.

  2. Click the predictor type, and then click the specific predictor that you want to edit.

  3. Edit the predictor details and configuration settings:

    • To edit Display Name and Description, click the More Options (⋮) icon and click Rename.

    • To edit configuration settings, click the Pencil icon and edit any of the following:

      Predictor Settings

      Adversary-in-the-Middle (AitM)

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Use the Domain Allow List field to provide a comma-separated list of the domains that are legitimate for your resources. These will be compared with the domains that your users are trying to access to verify that they were not the target of phishing attempts.

      If you don’t specify one or more domains, PingOne Protect sets a short learning period to learn the domains that your users are accessing, and these domains are added to the allow list. The learned domains are displayed under Domain Allow List.

      Anonymous Network Detection

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      In the Allow List field, enter the IP addresses for which anonymous network considerations should be ignored. This must be one or more ranges of IP addresses in classless inter-domain routing (CIDR) format, separated by commas, for example, 1.1.1.1/24, 1.1.2.1/12. For IP addresses in IPv4 format, you can use IP ranges. For IP addresses in IPv6 format, you must add each address to the list individually.

      Bot Detection

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Use the Track events without SDK payload option to expand the types of bot activity that PingOne Protect can detect. To use this option, you must configure the PingOne Signals (Protect) SDK to pass the SDK payload into the risk evaluation.

      Email Reputation

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Geovelocity

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      In the Allow List field, enter the IP addresses for which anonymous network considerations should be ignored. This must be one or more ranges of IP addresses in CIDR format, separated by commas, for example, 1.1.1.1/24, 1.1.2.1/12. For IP addresses in IPv4 format, you can use IP ranges. For IP addresses in IPv6 format, each address must be added to the list individually.

      IP Reputation

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      In the Allow List field, enter the IP addresses for which anonymous network considerations should be ignored. This must be one or more ranges of IP addresses in CIDR format, separated by commas, for example, 1.1.1.1/24, 1.1.2.1/12. For IP addresses in IPv4 format, you can use IP ranges. For IP addresses in IPv6 format, each address must be added to the list individually.

      IP Velocity

      You cannot configure settings for the IP Velocity predictor.

      New Device

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Use the Activation Date field to specify a date when the learning process for the predictor should be restarted. You can use this in conjunction with the fallback setting to force strong authentication when moving the predictor to production.

      Activation Date uses UTC time.

      Suspicious Device

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Use the Signed SDK Payload is Required option to specify that the predictor requires that the payload from the Signals (Protect) SDK be provided as a signed JWT.

      Before selecting this option for your predictor, verify that you have enabled the option to have the SDK payload provided as a signed JWT in the initialization code for the SDK. If you are using DaVinci flows, you can enable the signed JWT option when configuring the skrisk component in your flows. Learn more in the documentation for the web version of the Signals SDK and the documentation for the PingOne Protect DaVinci connector.

      Traffic Anomaly

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Use the Users per Device option to set the maximum number of users per device to be considered Medium and High risk for the specified timeframe.

      User Location Anomaly

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      Enter the radius Distance and select the Measurement units (miles or kilometers).

      User-Based Risk Behavior

      Use the Fallback Predictor Decision Value list to select the risk level that this predictor should be assigned if there’s insufficient information to calculate the risk level.

      User Velocity

      You cannot configure settings for the User Velocity predictor.

  4. Click Save.