--- title: Predictor rules description: Use rule reference to fine-tune the PingOne Protect Bot Detection, Suspicious Device, Traffic Anomaly, and composite predictors. component: pingone page_id: pingone:threat_protection_using_pingone_protect:p1_protect_predictor_rules canonical_url: https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_predictor_rules.html revdate: April 29, 2026 section_ids: p1_protect_bot_detection_rules: Bot Detection predictor p1_protect_suspicious_device_rules: Suspicious Device predictor p1_protect_traffic_anomaly_rules: Traffic Anomaly predictor --- # Predictor rules This reference topic lists the predefined rules used by the PingOne Protect predictors that evaluate rule-based conditions and patterns: * [Bot Detection](#p1_protect_bot_detection_rules) * [Suspicious Device](#p1_protect_suspicious_device_rules) * [Traffic Anomaly](#p1_protect_traffic_anomaly_rules) You can also include specific rules for these predictors when creating a [composite predictor](p1_protect_adding_composite_predictors.html). When configuring these predictors, you can exclude specific rules from risk level results. This fine-grained control is useful when a specific rule causes legitimate authentication attempts to be labeled as high risk. ## Bot Detection predictor The following rules are used by the Bot Detection predictor: | Rule ID | Rule | | ------- | ------------------------------------------------- | | 600 | Automation framework - headless browser | | 601 | Automation framework | | 603 | Non-human keyboard interaction | | 604 | Non-human mouse interaction | | 610 | Suspicious user agent | | 612 | Media mismatch | | 618 | Hosting service with a suspicious device property | | 623 | Automation driver tools | | 625 | Screen resolution anomaly | | 627 | CPU cores anomaly | | 628 | Browser loading anomaly | | 629 | Browser anomaly | | 631 | Invalid Chrome properties | | 632 | Automation framework on emulated device | | 640 | Accelerometer anomaly | | 642 | Touch interaction duration anomaly | | 660 | AI-based browser automation | ## Suspicious Device predictor The following rules are used by the Suspicious Device predictor: | Rule ID | Rule | | ------- | ---------------------------------------------------------------------------------------------- | | 501 | Suspicious user agent | | 505 | Device properties mismatch | | 508 | Suspicious device fingerprint | | 509 | Suspicious browser engine | | 510 | Mismatched between different attributes of the device | | 518 | Device is missing expected sensors data such as accelerometer or gyroscope for a mobile device | | 520 | Mismatch in browser properties | | 521 | Browser API manipulation | | 530 | Indicate devices that are running as emulators on a PC | | 531 | Indicate virtual Android devices | | 532 | Indicate virtual iOS devices | | 534 | Device with suspicious network properties | | 535 | Compromised device | | 537 | Emulated android browser detected | | 538 | Indicates whether the app is running using a cloning app | | 540 | Suspicious mobile country code | | 556 | Suspicious touchpoints | | 557 | Timezone offset mismatch | | 562 | Indicates an Android device that is routing traffic through forward proxy | | 590 | Application runs in debug mode | | 591 | Device configured for development | ## Traffic Anomaly predictor The following rules are used by the Traffic Anomaly predictor: | Rule ID | Rule | | ------- | -------------------------------------------------------------------------------- | | 801 | Multiple events by a user in short time | | 803 | Number of unique users per device is above High threshold | | 804 | Number of unique users per device is above Medium threshold | | 805 | Suspicious email address reuse | | 806 | Unusual number of unique users or devices per browser token in registration flow | | 807 | Email plus alias abuse |