Risk predictors are intended to identify possible fraudulent user behaviors based on these criteria:

User Risk Behavior employs user behavior analalytics and machine learning to identify normal user behavior patterns within the enviroment. User behavior varies between enviroments, and can be learned through factors such as the type of accessing device, the browser and operating system used, and the location from which a user signs on.

Risk predictor data model

Property Description
by A list of strings type. An ordered list of JSON parameters for the values to aggregate. For example, ${event.ip},${event.user.id}.
compactName A string type. A unique name for the predictor. Must be alpha-numeric, with no special chars or spaces. This name is used in the API both for policy configuration, and in the Risk Evaluation response (under details).
createdAt A date type. Indicates the date the risk predictor was created (format ISO-8061).
every The interval to use to calculate the measure.
  • unit. An enum type. This can be: “HOUR”.

  • quantity. An int type. The number of unit values. For example, 1 (to equal one hour).

  • minSample. An int type. The minimum size of measures needed in the interval for the threshold calculation. For example, for an IP per user rule, you’ll want to use a minimum of 3 distinct IPs for the (hour) interval.
fallback The strategy to use if thresholds cannot be calculated.
  • strategy. An enum type. This can be: “ENVIRONMENT_MAX”.

  • high. An int type. This is relevant when fallback.strategy is ENVIRONMENT_MAX, and the test used is Z_TEST. The high threshold to be used in case an insufficient number of events were registered for the environment.

  • medium. An int type. This is relevant when fallback.strategy is ENVIRONMENT_MAX, and the test used is Z_TEST. The medium threshold to be used in case an insufficient number of events were registered for the environment.
maxDelay The maximum amount of time to delay before the risk predictor’s threshold expires and a new threshold is calculated.
  • unit. An enum type. The unit of time to use. This can be: “DAY”.

  • quantity. An int type. The number of units to use. For example, 1.
measure An enum type. This can be: “DISTINCT_COUNT”. This is the statistical measure used to aggregate the data.
name A string type. A unique, friendly name for the predictor. This name is displayed in the Risk Policies UI, when the admin is asked to define the overrides and weights.
of A string type. A JSON pointer for the value to aggregate. For example ${event.ip} or ${event.user.id}.
slidingWindow Defines the duration over which the risk predictor is to be applied.
  • unit. An enum type. The unit of time to use. This can be: “DAY”.

  • quantity. An int type. The number of units. For example, 7 days.

  • minSample. An int type. The minimum number of every.unit intervals (such as, hours) needed to calculate the threshold. For example, you’ll want a minimum of 3 active hours to calculate the IP velocity rule.
type An enum type. This can be either: “VELOCITY” or “USER_RISK_BEHAVIOR”.
updatedAt A date type. Indicates the date the risk predictor set was updated (format ISO-8061).
use Defines the test used to decide whether the transaction is anomalous (not what is to be expected).
  • type. An enum type. This indicates the test used to identify anomalous behavior. This can be: “Z_TEST”.

  • medium. A double type. This is relevant only for a Z_TEST, and indicates the standard deviation from mean considered as “medium”. For example, 2.

  • high. A double type. This is relevant only for Z_TEST, and indicates the standard deviation from mean considered as “high”. For example, 4.