You decide what level of risk you want to assign when the various conditions defined in the composite predictor are and are not met. Composite predictors can include both the standard predictor types provided and any custom predictors that you have created.

In addition to default and custom predictors, you can include the following risk factors in composite predictors:

  • Country
  • State
  • IP range
  • IP domain organization
  • Internet service provider (ISP)
  • Target resource name (target application)
  • User ID
  • User Name

As an example scenario for using composite predictors, you want the Geovelocity predictor to ignore a long list of IP addresses. The allow list can include up to 400 IP addresses for one predictor. If you need more than 400 IP addresses, you can add another Geovelocity predictor, combine the two predictors in a composite predictor (using the All operator), and add the composite predictor in the risk policy.

  1. In the PingOne console, go to Threat Protection > Predictors.
  2. To add a new predictor, click the + icon.
  3. For the predictor type, choose Composite.
  4. In the Display Name field, enter a name for the predictor.

    The display name is used in the Protect dashboard and policy configuration.

  5. In the Compact Name field, enter a short name that is returned in the API response.

    You can't change the compact name after it's been saved.

  6. Configure the criteria for the composite predictor.

    Predictor conditions are applied in order from top to bottom.

    1. To determine the conditions for each set of criteria, use All, Any, or None.

      You can also nest sets of conditions.

    2. Select a predictor type or risk factor, select an operator, and enter or select the value:
      • To use one value as the criterion, such as a single country, use the Equals or Not Equals operators.
      • To specify multiple values, such as a group of countries, use the Is In or Not In operators.

        When you use the Is In or Not In operators to define a set of possible values for a risk factor that takes free text, such as State, provide the values as a comma-separated list.

      • If you are using User ID or User Name as a criterion, you can also use the Contains operator, which checks whether the User ID or User Name includes the specified substring. For example, you could check whether the User ID contains a certain domain name. The Contains operator is not case-sensitive.
    3. Optional: To add additional criteria, click + Item to add a new criteria item, or + Group to add a new group of criteria.
    4. For Risk Level Equals, select Low, Medium, or High to determine the risk level result when the set of criteria is met.

      In addition to taking into account the results of multiple individual risk predictors, you can include conditions that relate to the total number of predictors in a policy that were low, medium, or high risk.

      For example, you can create a composite predictor that specifies that the predictor should get a result of high risk if any of the following conditions are true:

      • IP Reputation is high risk.
      • IP Velocity is high risk.
      • Any three predictors in the policy being evaluated are found to be high risk.
  7. Optional: Add additional conditions to evaluate if the first set of conditions is not met.
    1. Click + Else.
    2. Configure the criteria and the risk level.

    You can configure up to three sets of conditions in a composite predictor.

  8. Optional: To configure the risk level result to assign if none of the defined conditions is met, select Low, Medium, or High for Else Return at the bottom of the page.

    The default value for Else Return is None.

    A screen capture of a composite predictor with 2 sets of conditions.
  9. Click Save.

After a composite predictor yields a result, you can use the result in the same ways as the results of individual risk predictors:

  • You can assign the predictor a score or weight to be used with the other predictors in your risk policy to calculate a final risk level.

    Weights in risk policies have been deprecated for new PingOne environments but can still be used in existing environments.

  • You can define an override that uses the composite predictor so that in cases where the predictor conditions are met, you can directly assign a final risk level and ignore the other predictors in the risk policy.