Predictor rules
This reference topic lists the predefined rules used by the PingOne Protect predictors that evaluate rule-based conditions and patterns:
You can also include specific rules for these predictors when creating a composite predictor.
When configuring these predictors, you can exclude specific rules from risk level results. This fine-grained control is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk.
Bot Detection predictor
The following rules are used by the Bot Detection predictor:
| Rule ID | Rule | Description |
|---|---|---|
600 |
Automation framework - headless browser |
Flags indicators associated with automated browsing environments. |
601 |
Automation framework |
Detects known browser automation frameworks. |
603 |
Non-human keyboard interaction |
Highlights keyboard behavior patterns that appear non-human. |
604 |
Non-human mouse interaction |
Highlights mouse interaction patterns that appear automated or synthetic. |
610 |
Suspicious user agent |
Flags user-agent characteristics commonly associated with automation. |
612 |
Media mismatch |
Detects inconsistencies between reported media capabilities and device profile. |
618 |
Hosting service with a suspicious device property |
Flags potentially risky combinations of hosting-network and device characteristics. |
623 |
Automation driver tools |
Detects automation driver tooling in the browser environment. |
625 |
Screen resolution anomaly |
Flags unusual display properties often associated with nonstandard environments. |
627 |
CPU cores anomaly |
Flags improbable hardware capacity reports. |
628 |
Browser loading anomaly |
Detects browser initialization patterns associated with automation masking. |
629 |
Browser anomaly |
Highlights anomalous browser behavior that can indicate manipulation. |
631 |
Invalid Chrome properties |
Flags unexpected behavior in Chrome-specific runtime properties. |
632 |
Automation framework on emulated device |
Detects signs that a session is running in an emulated environment. |
640 |
Accelerometer anomaly |
Flags motion-sensor patterns that are inconsistent with expected device behavior. |
642 |
Touch interaction duration anomaly |
Flags unusual touch interaction timing patterns. |
660 |
AI-based browser automation |
Detects indicators of artificial intelligence (AI)-assisted or scripted browser control. This rule is enabled when the Signals SDK opt-in flag is set to |
Suspicious Device predictor
The following rules are used by the Suspicious Device predictor:
| Rule ID | Rule | Description |
|---|---|---|
501 |
Suspicious user agent |
Flags user-agent details inconsistent with expected device and browser patterns. |
505 |
Device properties mismatch |
Detects inconsistencies across device, browser, and graphics signals. |
508 |
Suspicious device fingerprint |
Flags suspicious device fingerprint characteristics. |
509 |
Suspicious browser engine |
Detects inconsistencies between fingerprint signals and the reported browser engine. |
510 |
Mismatched between different attributes of the device |
Indicates conflicts across core device attributes. |
518 |
Device is missing expected sensors data such as accelerometer or gyroscope for a mobile device |
Flags mobile devices missing expected sensor capabilities. |
520 |
Mismatch in browser properties |
Detects inconsistencies across reported browser platform properties. |
521 |
Browser API manipulation |
Detects signs of browser API or runtime property manipulation. |
530 |
Indicate devices that are running as emulators on a PC |
Flags mobile sessions that appear to run in desktop-based emulation. |
531 |
Indicate virtual Android devices |
Flags Android sessions that appear to run in virtualized environments. |
532 |
Indicate virtual iOS devices |
Flags iOS sessions that appear to run in simulated environments. |
534 |
Device with suspicious network properties |
Flags suspicious or inconsistent network-related device signals. |
535 |
Compromised device |
Flags indicators that an Android device may be compromised. |
537 |
Emulated Android browser detected |
Flags browser sessions that appear to run in Android emulators. |
538 |
Indicates whether the app is running using a cloning app |
Detects signs that an application is running in a cloned environment. |
540 |
Suspicious mobile country code |
Flags potentially suspicious mobile network-code patterns. |
556 |
Suspicious touchpoints |
Highlights touch input characteristics that appear inconsistent or implausible. |
557 |
Timezone offset mismatch |
Flags inconsistencies between reported time zone and time-offset signals. |
562 |
Indicates an Android device that is routing traffic through forward proxy |
Flags Android sessions that appear to use proxy-based routing. |
590 |
Application runs in debug mode |
Flags applications running with development-oriented settings. |
591 |
Device configured for development |
Highlights device setup patterns associated with development or testing configurations. |
Traffic Anomaly predictor
The following rules are used by the Traffic Anomaly predictor:
| Rule ID | Rule | Description |
|---|---|---|
801 |
Multiple events by a user in short time |
Flags unusually high event activity for a user over a short period. |
803 |
Number of unique users per device is above High threshold |
Flags devices associated with an unusually high number of users. |
804 |
Number of unique users per device is above Medium threshold |
Flags devices associated with an elevated number of users. |
805 |
Suspicious email address reuse |
Detects potentially suspicious reuse patterns in email identities. |
806 |
Unusual number of unique users or devices per browser token in registration flow |
Flags unusually broad account or device activity tied to a single browser token. |
807 |
Email plus alias abuse |
Detects repeated attempts to register a new user using email alias variations (for example, baseemailaddress+alias@example.com) that can indicate abuse. |