Adding custom predictors - PingOne - PingOne Cloud Platform - PingOne Services

PingOne Cloud Platform

PingOne Cloud Platform
PingOne Cloud Platform
Product documentation
Guide > Administrator Guide

Add a custom predictor to include data from external sources in risk calculations.

Custom predictors allow you to plug in external data sources and reference custom properties. You can use custom predictors to determine a risk score if a device is not managed or map third-party risk scores to high, medium, or low. You can then add custom predictors to risk policies, apply overrides, and view analytics in the Dashboards.

For example, you can use PingFederate to establish risk-based remote access authentication controls depending on device type. You can receive an external feed of managed and unmanaged devices from PingFederate and map them to low or high risk.

Custom predictors appear in the Dashboard charts with the same functionality as other predictors. You can filter charts based on custom predictors and see relevant information about them in the drill-down tables. Custom predictors are also added to audit reporting.

You can add a maximum of 15 custom predictors per environment.

For information on configuring custom predictors, see Risk Advanced Predictors.

  1. In the PingOne console, go to Threat Protection > Predictors.
  2. To add a new predictor, click the + icon.
  3. For the predictor type, select Custom.
  4. In the Display Name field, enter a name for the predictor.

    The display name is used in the Protect dashboard and policy configuration.

  5. In the Compact Name field, enter a short name that will be returned in the API response.

    You can't change the compact name after it's been saved.

  6. In the Attribute Mapping field, enter the JSON pointer to the custom attribute in the risk evaluation resource.

    Use the format ${event|}, such as ${} or $(event.browser.userAgent).

    When defining a custom predictor, the Attribute Mapping field can take any of the following types of data:

    • One of the fields included in the details object returned in the API response for risk evaluations, for example,
    • One of the fields included in the event object included in the API request for risk evaluations, for example, event.browser.userAgent.
    • Data that you include from an external source. This is done by including the data as a new field in the event object in the Create risk evaluation API request, for example, event.externalAttribute. You use the same name in the Attribute Mapping field in the UI when you define the custom predictor. For example, you can provide as input a risk score from a third-party.
  7. In the Fallback Predictor Decision Value list, select a default risk level in case the attribute isn't provided.
  8. In the Risk Level Mapping section, define what values will return a LOW, MEDIUM, or HIGH score in the response:
    • Select Range to define a numerical range.
    • Select IP Ranges to define IP ranges.
    • Select List Item to define specific alphanumerical values. To define more values for each score, click Add List Item.

    If the same value appears in more than one of the risk categories (Low, Medium, High), the higher risk category is used.

  9. Click Save.

After saving the new predictor, you can configure it within a risk policy in two places:

  • As an entry in the Weighted Policy section
  • As a new option in the Override section

For more information, see Risk policies.