PingOne

Predictor rules

This reference topic lists the predefined rules used by the PingOne Protect predictors that evaluate rule-based conditions and patterns:

You can also include specific rules for these predictors when creating a composite predictor.

When configuring these predictors, you can exclude specific rules from risk level results. This fine-grained control is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk.

Bot Detection predictor

The following rules are used by the Bot Detection predictor:

Rule ID Rule Description

600

Automation framework - headless browser

Flags indicators associated with automated browsing environments.

601

Automation framework

Detects known browser automation frameworks.

603

Non-human keyboard interaction

Highlights keyboard behavior patterns that appear non-human.

604

Non-human mouse interaction

Highlights mouse interaction patterns that appear automated or synthetic.

610

Suspicious user agent

Flags user-agent characteristics commonly associated with automation.

612

Media mismatch

Detects inconsistencies between reported media capabilities and device profile.

618

Hosting service with a suspicious device property

Flags potentially risky combinations of hosting-network and device characteristics.

623

Automation driver tools

Detects automation driver tooling in the browser environment.

625

Screen resolution anomaly

Flags unusual display properties often associated with nonstandard environments.

627

CPU cores anomaly

Flags improbable hardware capacity reports.

628

Browser loading anomaly

Detects browser initialization patterns associated with automation masking.

629

Browser anomaly

Highlights anomalous browser behavior that can indicate manipulation.

631

Invalid Chrome properties

Flags unexpected behavior in Chrome-specific runtime properties.

632

Automation framework on emulated device

Detects signs that a session is running in an emulated environment.

640

Accelerometer anomaly

Flags motion-sensor patterns that are inconsistent with expected device behavior.

642

Touch interaction duration anomaly

Flags unusual touch interaction timing patterns.

660

AI-based browser automation

Detects indicators of artificial intelligence (AI)-assisted or scripted browser control.

This rule is enabled when the Signals SDK opt-in flag is set to DetectAIAgents=True and evaluates device and browser characteristics that strongly indicate AI or automated session control.

Suspicious Device predictor

The following rules are used by the Suspicious Device predictor:

Rule ID Rule Description

501

Suspicious user agent

Flags user-agent details inconsistent with expected device and browser patterns.

505

Device properties mismatch

Detects inconsistencies across device, browser, and graphics signals.

508

Suspicious device fingerprint

Flags suspicious device fingerprint characteristics.

509

Suspicious browser engine

Detects inconsistencies between fingerprint signals and the reported browser engine.

510

Mismatched between different attributes of the device

Indicates conflicts across core device attributes.

518

Device is missing expected sensors data such as accelerometer or gyroscope for a mobile device

Flags mobile devices missing expected sensor capabilities.

520

Mismatch in browser properties

Detects inconsistencies across reported browser platform properties.

521

Browser API manipulation

Detects signs of browser API or runtime property manipulation.

530

Indicate devices that are running as emulators on a PC

Flags mobile sessions that appear to run in desktop-based emulation.

531

Indicate virtual Android devices

Flags Android sessions that appear to run in virtualized environments.

532

Indicate virtual iOS devices

Flags iOS sessions that appear to run in simulated environments.

534

Device with suspicious network properties

Flags suspicious or inconsistent network-related device signals.

535

Compromised device

Flags indicators that an Android device may be compromised.

537

Emulated Android browser detected

Flags browser sessions that appear to run in Android emulators.

538

Indicates whether the app is running using a cloning app

Detects signs that an application is running in a cloned environment.

540

Suspicious mobile country code

Flags potentially suspicious mobile network-code patterns.

556

Suspicious touchpoints

Highlights touch input characteristics that appear inconsistent or implausible.

557

Timezone offset mismatch

Flags inconsistencies between reported time zone and time-offset signals.

562

Indicates an Android device that is routing traffic through forward proxy

Flags Android sessions that appear to use proxy-based routing.

590

Application runs in debug mode

Flags applications running with development-oriented settings.

591

Device configured for development

Highlights device setup patterns associated with development or testing configurations.

Traffic Anomaly predictor

The following rules are used by the Traffic Anomaly predictor:

Rule ID Rule Description

801

Multiple events by a user in short time

Flags unusually high event activity for a user over a short period.

803

Number of unique users per device is above High threshold

Flags devices associated with an unusually high number of users.

804

Number of unique users per device is above Medium threshold

Flags devices associated with an elevated number of users.

805

Suspicious email address reuse

Detects potentially suspicious reuse patterns in email identities.

806

Unusual number of unique users or devices per browser token in registration flow

Flags unusually broad account or device activity tied to a single browser token.

807

Email plus alias abuse

Detects repeated attempts to register a new user using email alias variations (for example, baseemailaddress+alias@example.com) that can indicate abuse.