Predictor rules
This reference topic lists the predefined rules used by the PingOne Protect predictors that evaluate rule-based conditions and patterns:
You can also include specific rules for these predictors when creating a composite predictor.
When configuring these predictors, you can exclude specific rules from risk level results. This fine-grained control is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk.
Bot Detection predictor
The following rules are used by the Bot Detection predictor:
| Rule ID | Rule |
|---|---|
600 |
Automation framework - headless browser |
601 |
Automation framework |
603 |
Non-human keyboard interaction |
604 |
Non-human mouse interaction |
610 |
Suspicious user agent |
612 |
Media mismatch |
618 |
Hosting service with a suspicious device property |
623 |
Automation driver tools |
625 |
Screen resolution anomaly |
627 |
CPU cores anomaly |
628 |
Browser loading anomaly |
629 |
Browser anomaly |
631 |
Invalid Chrome properties |
632 |
Automation framework on emulated device |
640 |
Accelerometer anomaly |
642 |
Touch interaction duration anomaly |
660 |
AI-based browser automation |
Suspicious Device predictor
The following rules are used by the Suspicious Device predictor:
| Rule ID | Rule |
|---|---|
501 |
Suspicious user agent |
505 |
Device properties mismatch |
508 |
Suspicious device fingerprint |
509 |
Suspicious browser engine |
510 |
Mismatched between different attributes of the device |
518 |
Device is missing expected sensors data such as accelerometer or gyroscope for a mobile device |
520 |
Mismatch in browser properties |
521 |
Browser API manipulation |
530 |
Indicate devices that are running as emulators on a PC |
531 |
Indicate virtual Android devices |
532 |
Indicate virtual iOS devices |
534 |
Device with suspicious network properties |
535 |
Compromised device |
537 |
Emulated android browser detected |
538 |
Indicates whether the app is running using a cloning app |
540 |
Suspicious mobile country code |
556 |
Suspicious touchpoints |
557 |
Timezone offset mismatch |
562 |
Indicates an Android device that is routing traffic through forward proxy |
590 |
Application runs in debug mode |
591 |
Device configured for development |
Traffic Anomaly predictor
The following rules are used by the Traffic Anomaly predictor:
| Rule ID | Rule |
|---|---|
801 |
Multiple events by a user in short time |
803 |
Number of unique users per device is above High threshold |
804 |
Number of unique users per device is above Medium threshold |
805 |
Suspicious email address reuse |
806 |
Unusual number of unique users or devices per browser token in registration flow |
807 |
Email plus alias abuse |