The data for a custom predictor can be:

  • Information that PingOne Protect has, but is not included in one of the standard predictors, for example, the country where the user trying to access the resource is currently located
  • External risk-related data that you provide as input, for example, information on managed and unmanaged devices from PingFederate

You can define three types of custom risk predictors:

  • IP range - definition of risk levels associated with different IP ranges
  • String matching - definition of risk levels associated with different values of input provided as a string
  • Numeric range - definition of risk levels associated with different values of input provided as a number

Custom predictors are treated like the out-of-the-box predictors in terms of:

  • Being able to add them to risk policies
  • Viewing data for the predictors in the PingOne Protect dashboard
  • Inclusion of the data in PingOne Audit logs

You can add a maximum of 15 custom predictors per environment.

  1. In the PingOne console, go to Threat Protection > Predictors.
  2. To add a new predictor, click the + icon.
  3. For the predictor type, select Custom.
  4. In the Display Name field, enter a name for the predictor.

    The display name is used in the PingOne Protect dashboard and policy configuration.

  5. In the Compact Name field, enter a short name that will be returned in the API response.
    Note:

    You can't change the compact name after it's been saved.

  6. The Attribute Mapping field is used to point to the variable that will contain the data that is being used to determine high, medium, or low risk for the predictor. The field can take any of the following types of data:
    • One of the fields included in the details object returned in the API response for risk evaluations, for example, details.country. In this case, you would enter ${details.country} in the Attribute Mapping field.
    • One of the fields included in the event object included in the API request for risk evaluations, for example, event.browser.userAgent. In this case, you would enter $(event.browser.userAgent) in the Attribute Mapping field.
    • Data that you are providing from an external source. You provide the data by including a new field in the event object in the Create risk evaluation API request, for example, event.managedDevice. In this case, you would enter $(event.managedDevice) in the Attribute Mapping field.
      Note: For information about the fields included in the details object and the fields included in the event object, see the "Details data model" and "Event data model" tables in the risk evaluation section of the PingOne API documentation.
      Note: If you defined a flow in DaVinci where custom attributes are provided as input to the risk evaluation, then you must add customAttributes after event in the AttributeMapping field, for example, $(event.customAttributes.managedDevice).
  7. In the Fallback Predictor Decision Value list, select a default risk level to use in case the attribute isn't provided.
  8. In the Risk Level Mapping section:
    1. Select the type of input that is being provided for the comparison: Range - for numeric range input, IP Ranges - for IP range input, List Item - for string-matching input.
    2. Enter the values that will be considered Low, Medium, and High risk. For string-matching, enter one string in each text field. Click Add List Item if you want to provide more than one string for any of the three risk levels.
      Note:
      • If a value appears in more than one of the risk categories (Low, Medium, High), the more strict risk category is used for the value.
      • For numeric input, the input is assigned to a specific risk level (Low, Medium, High) if it is greater or equal to the Min value and less than the Max value.
  9. Click Save.