Signal Name	Account Opening	Account Defense	Web	iOS	Android	Feature Set
ATO Risk	- -	Yes	Yes	Yes	Yes	Behavior Analytics
Automated Activity	Yes	Yes	Yes	Yes	Yes	Behavior Analytics
Behavioral Analytics Recognition	- -	Yes	Yes	Yes	Yes	Behavior Analytics
Bot Framework	Yes	Yes	Yes	- -	- -	Device & Network Intelligence
Browser Type Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Browser Version Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Combined Digital Intent	Yes	Yes	Yes	Yes	Yes	Behavior Analytics
Country Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Custom Attributes	Yes	- -	Yes	Yes	Yes	Behavior Analytics
Device Type Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Device Reputation	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
Device Velocity	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
Factory Reset	Yes	Yes	- -	Yes	Yes	Device & Network Intelligence
Familiarity (v2)	Yes	- -	Yes	Yes	Yes	Behavior Analytics
Familiarity (v3)	Yes	- -	Yes	Yes	Yes	Behavior Analytics
Fraud Ring Indicator	Yes	- -	Yes	Yes	Yes	Behavior Analytics
GPS Spoofing	Yes	Yes	- -	Yes	Yes	Device & Network Intelligence
Incognito	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
IP Address Association	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
IP Address Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
IP Blocklist	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
Multiple IDs per Device	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
Multiple Users Per Device	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
New Device	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
OS Type Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
OS Version Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Public Proxy	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
Rapid Location Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
Remote Access Detection	- -	Yes	Yes	- -	- -	Behavior Analytics
Risky Device	Yes	- -	Yes	Yes	Yes	Behavior Analytics
Session Login Fraud Ring Indicator	Yes	Yes	Yes	Yes	Yes	Behavior Analytics
Suspicious Device	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
TOR Exit Node	Yes	Yes	Yes	Yes	Yes	Device & Network Intelligence
User Agent Change	- -	Yes	Yes	Yes	Yes	Device & Network Intelligence
VPN	Yes	Yes	Yes	Yes	- -	Device & Network Intelligence

Behavior Analytics

ATO Risk

Web iOS Android

The ato_risk signal is a heuristic signal that identifies the risk of a login being tied to an account takeover attempt. This signal leverages behavior, device, and network data features to analyze new and returning users.

The label field is a string.

A high value indicates high likelihood that a login is associated with an account takeover attempt.
A medium value indicates moderate likelihood that a login is associated with an account takeover attempt.
A low value indicates low likelihood that a login is associated with an account takeover attempt.
An insufficient data value indicates that this is the first observed session for a user or the current session hasn't have enough user interaction to determine account takeover risk.

The score field is a numeric value representing whether or not a session is associated with an account takeover attempt. A value of 0.0 indicates the session is not likely to be related to an account takeover, and a value of 1.0 indicates high risk that the session is related to an account takeover.

{
  "model": "ato_risk",
  "label": "string",
  "version": "string",
  "attributes": {},
  "score": "number"
},

Automated Activity

Web iOS Android

The automated_activity signal flags that this session has automated behaviors.

The label field is boolean, where:

A true value means the user is exhibiting behavior associated with a malicious bot.
A false value means the user is not exhibiting behavior associated with a malicious bot.

There are no attributes for automated activity.

Additional details about the session are reflected in the customer portal using the Activity Types listed below:

Automated Activity Type	Description
Unusual Activity	An Unusual Activity label will trigger on TRUE if malicious bot activity was observed within the navigation of the browser or application.
Suspicious Browser	A Suspicious Browser label will trigger on TRUE, if configurations within the browser being used are indicative of malicious bot activity.
Automated Data Entry	An Automated Data entry label will trigger on TRUE if malicious bot activity is observed in how data is being entered.
Not Automated	A Not Automated label will trigger on FALSE if no malicious bot activity was observed.
Legitimate Bot	A Legitimate Bot label is specific to version 2.0 and will trigger on FALSE, if legitimate bot activity from web crawlers, web scrapers, and search engine bots was observed.

{
  "version": "1.0",
  "model": "automated_activity",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Behavioral Analytics Recognition

Web iOS Android Profile Required

The behavioral_analytics_recognition signal identifies sets of behavioral features (typing, swiping, etc.) that establish a profile to analyze sessions against.

The label field is a string containing one of the following:

high risk value indicates a risky session with very different observed behavior.
low riskindicates a low risk session with similar behavior previously observed
neutral indicates a session with no behavior indicating risky or genuine.

The score field represents a numeric value with a value between 0 - 100. A score of 0 indicates that the current login behavior is not the same as previous logins, and a score of 100 indicates that the current login behavior is the same as previous logins.

{
    "model": "behavioral_analytics_recognition",
    "label": "string",
    "version": "string",
    "attributes": {},
    "score": "number"
}

Combined Digital Intent

Web iOS Android

The combined_digital_intent signal is a classification of the user’s intent based on the outcomes of Familiarity, Fraud Ring Indicator, and Automated Activity.

The label field contains one of genuine, neutral ,risky , insufficient data values where:

genuine means the user exhibited behavior reflective of pulling their personal information from their long-term memory.
neutral means the user has not exhibited behavior that could be classified as Genuine or Risky.
risky means the user has demonstrated suspicious behavior across the application.
insufficient data means the user has not interacted with enough of the application to make a decision.

There are no attributes for combined_digital_intent.

{
 "version": "1.0.0",
 "model": "combined_digital_intent",
 "label": "genuine",
 "attributes": {
},
 "score": 0.0
}

Custom Attributes

Web iOS Android

These attributes are configured to be specific to your mobile/web application. These attributes require configuration in your application's site-config. These attributes are tied to specific targets on your mobile/web application.

❗️
Important note on target names in regards to custom attributes
If target names change on your mobile/web application, that are configured for custom attributes, they will no longer be available in the API response. You must update your backend application that consumes these attributes to consume the newly named targets.

The version field contains the version of the configured attributes. This is set your application's site-config when attributes are configured and is incremented as custom_attributes are updated on your site. This field follows the pattern: major.minor.patch

The attributes field contains a dictionary of attributes. The key of the dictionary is the target name configured in your application's site-config.

Custom Attribute Example Response

{
  "version": "1.0.0",
  "model": "custom_attributes",
  "label": "",
  "attributes": {
    "context": {
      "is_pc": true
    },
    "#your_app_field_target_2": {
      "interaction_count": 1,
      "transition_to_entry_ratio": 0.2616580310880829,
      "left_window": 0,
      "transition_type__is_in_page_copy": 0,
      "transition_type__is_flip": 0,
      "transition_type__is_autofill": 0,
      "transition_type__is_auto_advance": 0,
      "transition_type__is_kbd": 0,
      "transition_type__is_back": 0,
      "transition_type__is_tap": 0,
      "transition_type__is_mouse": 1,
      "transition_type__is_other": 0,
      "transition_pause_to_movement_ratio": 0,
      "transition_is_suspicious": 0,
      "transition_deviation": 1.1518665435331068,
      "entry_type__is_paste": 0,
      "entry_type__is_assist": 0,
      "entry_type__is_autofill": 0,
      "entry_type__is_kbd": 0,
      "entry_type__is_transcribe": 0,
      "entry_type__is_slow": 0,
      "entry_type__is_fast": 0,
      "entry_type__is_type": 1,
      "entry_type__is_no_change": 0,
      "entry_type__is_unknown": 0,
      "entry_type__is_password": 0,
      "entry_type__is_click": 0,
      "entry_type__is_flip": 0,
      "entry_type__is_other": 0,
      "entry_has_support": 0,
      "entry_shortcut_cnt": 0,
      "entry_pause_to_interacting_ratio": 0,
      "entry_typing_fluency": null,
      "entry_has_edits": 0,
      "entry_pause_cnt": 0
    },
    "#your_app_field_target_1": {
      "interaction_count": 1,
      "transition_to_entry_ratio": 0.25,
      "left_window": 0,
      "transition_type__is_in_page_copy": 0,
      "transition_type__is_flip": 0,
      "transition_type__is_autofill": 0,
      "transition_type__is_auto_advance": 0,
      "transition_type__is_kbd": 0,
      "transition_type__is_back": 0,
      "transition_type__is_tap": 0,
      "transition_type__is_mouse": 1,
      "transition_type__is_other": 0,
      "transition_pause_to_movement_ratio": 0,
      "transition_is_suspicious": 0,
      "transition_deviation": 1.2082106550915572,
      "entry_type__is_paste": 0,
      "entry_type__is_assist": 0,
      "entry_type__is_autofill": 0,
      "entry_type__is_kbd": 0,
      "entry_type__is_transcribe": 0,
      "entry_type__is_slow": 0,
      "entry_type__is_fast": 0,
      "entry_type__is_type": 1,
      "entry_type__is_no_change": 0,
      "entry_type__is_unknown": 0,
      "entry_type__is_password": 0,
      "entry_type__is_click": 0,
      "entry_type__is_flip": 0,
      "entry_type__is_other": 0,
      "entry_has_support": 0,
      "entry_shortcut_cnt": 0,
      "entry_pause_to_interacting_ratio": 0,
      "entry_typing_fluency": null,
      "entry_has_edits": 0,
      "entry_pause_cnt": 0
    }
  }
}

Custom Attribute Data Dictionary

Attribute Name	Feature Type	Type	Definition
`is_pc`	Context	bool	Indicates if the target was interacted with on a desktop device
`interaction_count`	General	int	Count of how many times the user interacted with the field
`left_window`	General	int	Discrete categorical indicating whether the user left the browser/app while interacting with the field and whether they were gone for more than 10 seconds: -`0`: user did not leave window -`1`: user left window and returned in under 10 seconds -`2`: user left window for more than 10 seconds
`transition_to_entry_ratio`	General	float	Ratio between the total time spent transitioning into the field compared to the total time spent interacting with the field
`transition_type`	Transition	string	How the user transitioned into the field; values include `tap`, `mouse`, `autofill`, `auto_advance`, `kbd`, `flip, in_page_copy`, `back`, and `other`
`transition_is_suspicious`	Transition	binary	Binary indicating the transition type was suspicious and correlated to fraudster efficiency techniques. -`0`: transition is not suspicious -`1`: transition is suspicious
`transition_pause_to_movement_ratio`	Transition	float	Ratio between how much time the user spent processing/pausing vs moving to the field.
`transition_deviation`	Transition	float	Measure of how much a user deviates in their trajectory to the field - only relevant for PC devices
`entry_type`	Entry	string	How the user supplied data into the field; values include `type`, `transcribe`, `slow`, `fast`, `autofill`, `assist`, `kbd`, `paste`, `no_change`, `password`, `click`, `flip`, `unknown`, and `other`
`entry_has_support`	Entry	int	Discrete categorical indicating whether the user had browser assistance in completing their entry - whether it be through: - `0`: predictive text - `1`: format masking - `2`: autofilling
`entry_has_edits`	Entry	int	Discrete categorical indicating whether the user had minor or major entry changes -`0`: Entry did not have edits -`1`: Entry had minor edits -`2`: Entry had major edits -`3`: Entry had both major and minor edits
`entry_shortcut_cnt`	Entry	int	Count of times the user leveraged shortcuts like cutting, copying, or pasting to supply data
`entry_pause_cnt`	Entry	int	Count of times the user took more than a 2 second break while interacting with the field
`entry_typing_fluency`	Entry	float	Measure of the user’s typing rhythm and speed
`entry_pause_to_interacting_ratio`	Entry	float	Ratio between how much time the user spent processing/pausing vs actively interacting with the field

Familiarity (v3)

Web iOS Android

The version 3 familiarity model provides information on how familiar a user is with the Personal Information data that they enter into your mobile/web application.

The version field contains the version of the model. The version can be 3.0.m or 3.0.nm.

3.0.m means the user interacted with the application on a mobile device, and the 3.0 mobile model was used.
3.0.nm means the user interacted with the application on a non-mobile (desktop) device, and the 3.0 non-mobile model was used

The label field contains one of high, medium, low, or insufficient data values where

high means the user is very familiar with the Personal Information data they are entering into the application.
medium means the user is somewhat familiar with the Personal Information data they are entering into the application.
low means the user is not familiar with the Personal Information data they are entering into the application.
insufficient data means the user has not interacted with enough of the application to make a decision on the user's familiarity.

The model field contains the name of the model. Currently this field has the prefix challenger_ meaning that this model should be a challenger model your existing familiarity v2 model. You will need to evaluate the familiarity v3 model to determine if it is right for you.

The score field, if purchased, contains the raw value used in the label field.

The reasonCodes field, if purchased, contains the codes associated to the decisioning that resulted in the score of the model.

{
  "version": "3.0.nm",
  "model": "familiarity",
  "label": "medium",
  "reasonCodes": [
    "A1300",
    "A1800",
    "A1100"
  ],
  "score": 74.225929
}

When there a new version becomes available, you can activate challenger_famliarity for comparison purposes.

{
  "version": "3.0.nm",
  "model": "challenger_familiarity",
  "label": "medium",
  "reasonCodes": [
    "N1300",
    "N1800",
    "N1100"
  ],
  "score": 72.885929
}

Fraud Ring Indicator

Web iOS Android

The fraud_ring_indicator signal flags that this session has behavior associated to fraud ring activities.

The label field is a boolean.

A true value means the applicant has behavior associated to fraud ring activities.
A false value means the applicant did not have behavior associated to fraud ring activities.

There are no attributes for Fraud Ring Indicator.

{
  "version": "1.0",
  "model": "fraud_ring_indicator",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Remote Access

Web

The remote_access signal identifies if behaviors associated with a browser-based session are being controlled by remote access. This is a leading indicator of risk associated with scams and social engineering attacks.

The label field is a string.

A true value indicates that remote access behaviors were detected.
A false value indicates that remote access behaviors were not present.
An insufficient data value indicates that the user has not interacted with enough of the application to make a decision on remote access behaviors.

The score field is a numeric value representing whether or not remote access behaviors were detected. A value of 0.0 indicates the current session is not associated with remote access behaviors, and a value of 1.0 indicates remote access behaviors are present.

{
  "model": "remote_access",
  "label": "false",
  "version": "string",
  "attributes": {},
  "score": "number"
},

Risky Device

Web iOS Android

The risky_device signal flags that this device has previous sessions that have low familiarity.

The label field is a boolean.

A true value means the device of the applicant has previous applications with low familiarity.
A false value means the device of the applicant does not have previous sessions with low familiarity.

The attributes field has the following values:

risky_application_count - A numeric value representing the count of previous sessions on the users device that had low familiarity

{
  "version": "1.0",
  "model": "risky_device",
  "label": "false",
  "attributes": {
    "risky_application_count": 0
  },
  "score": 0
}

There are no attributes for automated activity.

{
  "version": "1.0",
  "model": "automated_activity",
  "label": "false",
  "attributes": {
  },
  "score": 0
}

Session Login Fraud Ring Indicator

Web iOS Android

The session_login_fraud_ring_indicator signal identifies if fraudster efficiencies used when interacting with the login fields.

The label field is a string.

A true value indicates fraudster efficiencies were detected.
A false value indicates fraudster efficiencies were not present.
An insufficient data value indicates that this is the first observed session for a user, or the first observed session for the user was less than two hours ago.

The score field is a numeric value representing whether or not a login is associated with fraudster efficiencies. A value of 0.0 indicates the current login is not associated with fraudster efficiencies, and a value of 1.0 indicates fraudster behaviors are present.

{
  "model": "session_login_fraud_ring_indicator",
  "label": "false",
  "version": "string",
  "attributes": {},
  "score": "number"
},

Device & Network Intelligence

The following signals are available to all sites configured for device and network intelligence. Some signals are only available on certain device types, and this is reflected in the documentation by the capsules below each signal name:

Web iOS Android

The capsules above represent a signal that's available for users on web, iOS, or Android.

Note: These capsules reflect the device type, not the SDK type. For example, a mobile SDK using React Native will generate signals for iOS and/or Android.

Bot Framework

Web iOS Android

The bot_framework signal identifies if a device has properties that are typically associated with automation tools.

The label field is a string.

A true value means the device of the applicant has properties associated with automation tools.
A false value means the device of the applicant does not have properties associated with automation tools.

{
  "model": "bot_framework",
  "label": "string"
}

Browser Type Change

Web iOS Android Profile Required

The browser_type_change signal identifies if a user's browser has changed since the last session.

The label field is a string.

A true value indicates the browser type has changed since the user's most recent previous session.
A false value indicates the browser type has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the browser_type_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified.. In this case, the browser_type_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

browser_type_count_1_day - A numeric value representing the total count of browsers associated with a user in the past 24 hours.
browser_type_count_1_week - A numeric value representing the total count of browsers associated with a user in the past 1 week.
browser_type_count_4_week - A numeric value representing the total count of browsers associated with a user in the past 4 weeks.
browser_type_count_12_week - A numeric value representing the total count of browsers associated with a user in the past 12 weeks.

{
  "model": "browser_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "browser_type_count_1_day": "number",
    "browser_type_count_1_week": "number",
    "browser_type_count_4_week": "number",
    "browser_type_count_12_week": "number",
  }
}

{
  "model": "browser_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "browser_type_count_1_day": "number",
    "browser_type_count_1_week": "number",
    "browser_type_count_4_week": "number",
    "browser_type_count_12_week": "number",
  },
  "error": "string"
}

Browser Version Change

Web iOS Android Profile Required

The browser_version_change signal identifies if a user's browser version has changed since the last session.

The label field is a string.

A true value indicates the browser version has changed since the user's most recent previous session.
A false value indicates the browser version has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the browser_version_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified.. In this case, the browser_version_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

browser_version_count_1_day - A numeric value representing the total count of browser versions associated with a user in the past 24 hours.
browser_version_count_1_week - A numeric value representing the total count of browser versions associated with a user in the past 1 week.
browser_version_count_4_week - A numeric value representing the total count of browser versions associated with a user in the past 4 weeks.
browser_version_count_12_week - A numeric value representing the total count of browser versions associated with a user in the past 12 weeks.

{
  "model": "browser_version_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "browser_version_count_1_day": "number",
    "browser_version_count_1_week": "number",
    "browser_version_count_4_week": "number",
    "browser_version_count_12_week": "number",
  }
}

{
  "model": "browser_version_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "browser_version_count_1_day": "number",
    "browser_version_count_1_week": "number",
    "browser_version_count_4_week": "number",
    "browser_version_count_12_week": "number",
  },
  "error": "string"
}

Country Change

Web iOS Android Profile Required

The country_change signal identifies if a user's country has changed since the last session.

The label field is a string.

A true value indicates the country has changed since the user's most recent previous session.
A false value indicates the country has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the country_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the country_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

country_count_1_day - A numeric value representing the total count of countries associated with a user in the past 24 hours.
country_count_1_week - A numeric value representing the total count of countries associated with a user in the past 1 week.
country_count_4_week - A numeric value representing the total count of countries associated with a user in the past 4 weeks.
country_count_12_week - A numeric value representing the total count of countries associated with a user in the past 12 weeks.

{
  "model": "country_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "country_count_1_day": "number",
    "country_count_1_week": "number",
    "country_count_4_week": "number",
    "country_count_12_week": "number",
  }
}

{
  "model": "country_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "country_count_1_day": "number",
    "country_count_1_week": "number",
    "country_count_4_week": "number",
    "country_count_12_week": "number",
  },
  "error": "string"
}

Device Reputation

Web iOS Android

The device_reputation signal identifies if the device is associated with a blocklist you have provided or one of the available NeuroID blocklists. See Device and IP Blocklisting for more information about how blocklisting works.

The label field is a string.

A true value means the device is associated to a blocklist.
A false value means the device is not associated to a blocklist.

The attributes field has the following values:

customer_blocklist - A boolean signaling the deviceId for a device was identified on a blocklist that you have provided.
global_blocklist - A boolean signaling the deviceId for a device was found on the NeuroID blocklist of known fraudulent devices.

{
  "model": "device_reputation",
  "label": "string",
  "attributes": {
    "customer_blocklist": "boolean",
    "global_blocklist": "boolean"
  }
}

Device Type Change

Web iOS Android Profile Required

The device_type_change signal identifies if a user's device's platform (i.e. personal computing device and/or associated operating system) has changed since the last session.

The label field is a string.

A true value means the device platform of the user has changed since the most recent previous session.
A false value means the device platform of the user has not changed since the most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the device_type_change_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the device_type_change_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

device_type_1_day - A numeric value representing the total count of device types for a user in the past 24 hours.
device_type_1_week - A numeric value representing the total count of device types for a user in the past 1 week.
device_type_4_week - A numeric value representing the total count of device types for a user in the past 4 weeks.
device_type_12_week - A numeric value representing the total count of device types for a user in the past 12 weeks.

{
  "model": "device_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "device_type_change_count_1_day": "number",
    "device_type_change_count_1_week": "number",
    "device_type_change_count_4_week": "number",
    "device_type_change_count_12_week": "number",
  },
}

{
  "model": "device_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "device_type_change_count_1_day": "number",
    "device_type_change_count_1_week": "number",
    "device_type_change_count_4_week": "number",
    "device_type_change_count_12_week": "number",
  },
  "error": "string"
}

Device Velocity

Web iOS Android

The device_velocity signal identifies the number of sessions associated with a device.

The label field is a string.

A true value means the device of the applicant is associated with more sessions than the device_velocity_threshold.
A false value means the device of the applicant is associated with fewer sessions than the device_velocity_threshold.
The device_velocity_threshold is configured by NeuroID based on the application type and has a default of 5 sessions.

The attributes field has the following values:

sessions_per_device_count_1_day - A numeric value representing the count of total sessions on the user's device in the last 24 hours.
sessions_per_device_count_1_week - A numeric value representing the count of total sessions on the user's device in the last week.
sessions_per_device_count_4_week - A numeric value representing the count of total sessions on the user's device in the last 4 weeks.
multiple_sessions_per_device_count_12_week - A numeric value representing the count of total sessions on the user's device in the last 12 weeks.

{
  "model": "device_velocity",
  "label": "string",
  "attributes": {
    "sessions_per_device_count_1_day": "number",
    "sessions_per_device_count_1_week": "number",
    "sessions_per_device_count_4_week": "number",
    "sessions_per_device_count_12_week": "number",
  }
}

Factory Reset

iOS Android

The factory_reset signal identifies if a mobile device has been reset to the default factory settings. If a device has been reset to default factory settings, this signal also provides the time in which that occurred.

The label field is a string.

A true value means the device has been reset to default factory settings at some point.
A false value means the device has never been reset to default factory settings.

{
  "model": "factory_reset",
  "label": "string",
  "attributes": {
    "time": "string",
    "timestamp": "number",
  }
}

GPS Spoofing

iOS Android

The gps_spoofing signal identifies if the location of a mobile device has been spoofed. Location spoofing is a common practice among fraudsters to fool fraud detection systems.

Note: this signal requires the host app to be granted Location Permission for iOS.

The label field is a string.

A true value means the location of the mobile device has been spoofed.
A false value means the location of the mobile device has not been spoofed.

{
  "model": "gps_spoofing",
  "label": "string",
}

Incognito

Web iOS Android

The incognito signal identifies if the web browser accessing your web application is being run in incognito mode.

The label field is a string.

A true value means the web browser accessing your web application is being run in incognito mode.
A false value means the web browser accessing your web application is not being run in incognito mode.

{
  "model": "incognito",
  "label": "string"
}

IP Address Association

Web iOS Android

The ip_address_association signal identifies if the public IP of the user is associated with known IP address of various cloud providers.

The label field is a string.

A true value means the public IP of the user is associated with a known IP address of various cloud providers.
A false value means the public IP of the user is not associated with a known IP address of various cloud providers.

The attributes field has the following values:

aws_ip_set - A boolean signaling the public IP address of the user is associated with the AWS (Amazon Web Services) public IP list.
azure_* - A boolean signaling the public IP address of the user is associated with one of Microsoft Azure's public IP lists. The different lists from Microsoft Azure are: China, Germany, Government, and Public.
digital_ocean_ip_set - A boolean signaling the public IP address of the user is associated with the Digital Ocean public IP list.
google_ip_set - A boolean signaling the public IP address of the user is associated with the Google Cloud public IP list.
vultr_ip_set - A boolean signaling the public IP address of the user is associated with the Vultr public IP list.
oracle_ip_set - A boolean signaling the public IP address of the user is associated with the Oracle public IP list.

{
  "model": "ip_address_association",
  "label": "string",
  "attributes": {
    "aws_ip_set": "boolean",
    "azure_china_ip_set": "boolean",
    "azure_germany_ip_set": "boolean",
    "azure_government_ip_set": "boolean",
    "azure_public_ip_set": "boolean",
    "digital_ocean_ip_set": "boolean",
    "google_ip_set": "boolean",
    "oracle_ip_set": "boolean",
    "vultr_ip_set": "boolean",
  }
}

IP Address Change

Web iOS Android Profile Required

The ip_address_change signal identifies if a user's IP address has changed since the last session.

The label field is a string.

A true value indicates the IP address has changed since the user's most recent previous session.
A false value indicates the IP address has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the ip_address_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the ip_address_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

ip_address_count_1_day - A numeric value representing the total count of IP addresses associated with a user in the past 24 hours.
ip_address_count_1_week - A numeric value representing the total count of IP addresses associated with a user in the past 1 week.
ip_address_count_4_week - A numeric value representing the total count of IP addresses associated with a user in the past 4 weeks.
ip_address_count_12_week - A numeric value representing the total count of IP addresses associated with a user in the past 12 weeks.

{
  "model": "ip_address_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "ip_address_count_1_day": "number",
    "ip_address_count_1_week": "number",
    "ip_address_count_4_week": "number",
    "ip_address_count_12_week": "number",
  }
}

{
  "model": "ip_address_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "ip_address_count_1_day": "number",
    "ip_address_count_1_week": "number",
    "ip_address_count_4_week": "number",
    "ip_address_count_12_week": "number",
  },
  "error": "string"
}

IP Blocklist

Web iOS Android

The ip_blocklist signal identifies if the public IP of the user is associated with a blocklist you have provided or one of the available NeuroID blocklists.

The label field is a string.

A true value means the public IP of the user is found on a blocklist
A false value means the public IP of the user is not found on a blocklist

The attributes field has the following values:

customer_blocklist - A boolean signaling the public IP address of the user was found on a blocklist that you provided.
global_blocklist - A boolean signaling the public IP address of the user was found on the NeuroID blocklist of known fraudulent IP addresses.
partner_blocklist - A boolean signaling the public IP address of the user was found on a blocklist provided by third party partners.

{
  "model": "ip_blocklist",
  "label": "string",
  "attributes": {
    "customer_blocklist": "boolean",
    "global_blocklist": "boolean",
    "partner_blocklist": "boolean",
  }
}

Blocklisting from a Known List

The Device & Network capabilities support blocklisting based on IP Addresses and/or Device IDs. NeuroID generally recommends using these lists to inform High Risk operations, although your specific situation, risk appetite, or decisioning may vary.

During initial setup or when upgrading your relationship to include Device & Network features, you can discuss your blocklist operations/maintenance with your support representative, Subsequently you’ll be able to send a file to your representative with the necessary data to ensure the Blocklisted IP Address signal operates optimally from Day 1.

File Requirements

The file should be a .CSV.
The file should contain a single column named ‘ip_address’ that should include all IP Addresses to be blocked.
The IP Addresses may include IPv4 or IPv6 formatted values.
The file should be sent via email or slack.

Note: NeuroID will assume the most recently received blocklist to be the source of truth. That means updated lists should include the full set of IP addresses and/or Device IDs to block, and not a list of items to append to previously sent lists.

This same process can be used to block Device IDs. To do so, use the column header “device_id’ and send the list in a separate file.

Multiple IDs Per Device

Web iOS Android

The multiple_ids_per_device signal identifies the number of sessions associated with a device.

The label field is a string.

A true value means the device of the applicant is associated with more set identifiers than the multiple_ids_per_device_threshold.
A false value means the device of the applicant is associated with fewer set identifiers than the multiple_ids_per_device_threshold.
The multiple_ids_per_device_threshold is configured by NeuroID based on the application type and has a default of 5 identifiers.

The attributes field has the following values:

multiple_ids_per_device_count_1_day - A numeric value representing the count of total identifiers on the user's device in the last 24 hours.
multiple_ids_per_device_count_1_week - A numeric value representing the count of total identifiers on the user's device in the last week.
multiple_ids_per_device_count_4_week - A numeric value representing the count of total identifiers on the user's device in the last 4 weeks.
multiple_ids_per_device_count_12_week - A numeric value representing the count of total identifiers on the user's device in the last 12 weeks.

{
  "model": "multiple_ids_per_device",
  "label": "string",
  "attributes": {
    "multiple_ids_per_device_count_1_day": "number",
    "multiple_ids_per_device_count_1_week": "number",
    "multiple_ids_per_device_count_4_week": "number",
    "multiple_ids_per_device_count_12_week": "number",
  }
}

Multiple Users Per Device

Web iOS Android Profile Required

The multiple_users_per_device signal identifies if multiple userIDs are associated with a single device.

The label field is a string.

A true value indicates the number of userIDs associated with a device exceeds the thresholds.
A false value indicates the number of userIDs associated with a device does not exceed the threshold.
The multiple_users_per_device_threshold is configured by NeuroID based on the application type and has a default of 5 sessions.
An error value either indicates that there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object. No "insufficient data" errors are expected for this signal.

The attributes object contains the following fields:

registered_user_id_count_1_day - A numeric value representing the total count of userIDs associated with the device in the past 24 hours.
registered_user_id_count_1_week - A numeric value representing the total count of userIDs associated with the device in the past 1 week.
registered_user_id_count_4_week - A numeric value representing the total count of userIDs associated with the device in the past 4 weeks.
registered_user_id_count_12_week - A numeric value representing the total count of userIDs associated with the device in the past 12 weeks.

{
  "model": "multiple_users_per_device",
  "label": "string",
  "version": "string",
  "attributes": {
    "registered_user_id_count_1_day": "number",
    "registered_user_id_count_1_week": "number",
    "registered_user_id_count_4_week": "number",
    "registered_user_id_count_12_week": "number",
  }
}

New Device

Web iOS Android Profile Required

The new_device signal identifies if the user's device has not been used in any session in the past 12 weeks.

The label field is a string.

A true value means the device of the user hasn't been seen in the past 12 weeks.
A false value means the device of the user has been seen in the past 12 weeks.

The attributes object contains the following fields:

new_device_count_1_day - A numeric value representing the total count of deviceIds for a user in the past 24 hours.
new_device_count_1_week - A numeric value representing the total count of deviceIds for a user in the past 1 week.
new_device_count_4_week - A numeric value representing the total count of deviceIds for a user in the past 4 weeks.
new_device_count_12_week - A numeric value representing the total count of deviceIds for a user in the past 12 weeks.

{
  "model": "new_device",
  "label": "string",
  "version": "string",
  "attributes": {
    "new_device_count_1_day": "number",
    "new_device_count_1_week": "number",
    "new_device_count_4_week": "number",
    "new_device_count_12_week": "number",
  }
}

OS Type Change

Web iOS Android Profile Required

The os_type_change signal identifies if a user's operating system has changed since the last session.

The label field is a string.

A true value indicates the operating system has changed since the user's most recent previous session.
A false value indicates the operating system has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the os_type_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the os_type_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

os_type_count_1_day - A numeric value representing the total count of operating systems associated with a user in the past 24 hours.
os_type_count_1_week - A numeric value representing the total count of operating systems associated with a user in the past 1 week.
os_type_count_4_week - A numeric value representing the total count of operating systems associated with a user in the past 4 weeks.
os_type_count_12_week - A numeric value representing the total count of operating systems associated with a user in the past 12 weeks.

{
  "model": "os_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "os_type_count_1_day": "number",
    "os_type_count_1_week": "number",
    "os_type_count_4_week": "number",
    "os_type_count_12_week": "number",
  }
}

{
  "model": "os_type_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "os_type_count_1_day": "number",
    "os_type_count_1_week": "number",
    "os_type_count_4_week": "number",
    "os_type_count_12_week": "number",
  },
  "error": "string,
}

OS Version Change

Web iOS Android Profile Required

The os_version_change signal identifies if a user's operating system has changed since the last session.

The label field is a string.

A true value indicates the operating system version has changed since the user's most recent previous session.
A false value indicates the operating system version has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the os_version_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the os_version_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

os_version_count_1_day - A numeric value representing the total count of operating system versions associated with a user in the past 24 hours.
os_version_count_1_week - A numeric value representing the total count of operating system versions associated with a user in the past 1 week.
os_version_count_4_week - A numeric value representing the total count of operating system versions associated with a user in the past 4 weeks.
os_version_count_12_week - A numeric value representing the total count of operating system versions associated with a user in the past 12 weeks.

{
  "model": "os_version_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "os_version_count_1_day": "number",
    "os_version_count_1_week": "number",
    "os_version_count_4_week": "number",
    "os_version_count_12_week": "number",
  }
}

{
  "model": "os_version_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "os_version_count_1_day": "number",
    "os_version_count_1_week": "number",
    "os_version_count_4_week": "number",
    "os_version_count_12_week": "number",
  },
  "error": "string"
}

Public Proxy

Web iOS Android

The public_proxy signal identifies if the public IP of the user is associated with a proxy server. A proxy server acts as an intermediary server separating end users from web pages they visit.

The label field is a string.

A true value means the public IP of the user is associated with a proxy network provider.
A false value means the public IP of the user is not associated with a proxy network provider.

{
  "model": "public_proxy",
  "label": "string"
}

Rapid Location Change

Web iOS Android Profile Required

The rapid_location_change signal determines the distance a user has traveled since their most recent session.

The max_travel_speed_km_h is configured to 1059 kilometers per hour. This speed corresponds with the max speed of a Boeing 747-8, which is the fastest commercial airplane today.

The label field is a string.

A true value indicates the user has traveled an unrealistic distance since the last session. The user's distance over time since the last session exceeds the max_travel_speed_km_h.
A false value indicates the user has not traveled an unrealistic distance since the last session. The user's distance over time since the last session does not exceed the max_travel_speed_km_h.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

distance_km_between_sessions - A numeric value representing the total distance in kilometers between the user's current session and the user's most recent previous session.
time_hr_between_sessions - A numeric value representing the total time in hours between the user's current session and the user's most recent previous session.

{
  "model": "rapid_location_change",
  "label": "string",
  "version": "string",
  "attributes": {
      "distance_km_between_sessions": "number",
      "time_hr_between_sessions": "number",
  },
}

{
  "model": "rapid_location_change",
  "label": "string",
  "version": "string",
  "attributes": {
      "distance_km_between_sessions": "null",
      "time_hr_between_sessions": "null",
  },
  "error": "string"
}

Suspicious Device

Web iOS Android

The suspicious_device signal identifies if a device has properties that suggest the device has been modified in a way that indicates the device is being used for fraudulent or bot activity.

The label field is a string.

A true value means the device of the applicant has suspicious or missing properties.
A false value means the device of the applicant does not have suspicious or missing properties.

The attributes field contains the following values:

emulator - A boolean flagging if the device is running in simulator mode
jailbroken - A boolean flagging if the device has jailbroken applications installed on the device. This suggests the device has been jailbroken. This attribute will always be false for non-mobile sessions.
missing_expected_properties - A boolean flagging if the web browser used to access your web application is missing standard web properties. This suggests the browser has been modified for web application scripting. This attribute will always be false for non-web sessions. The NeuroID JavaScript library examines the values of many web properties. A few examples of risky values are:
- canvas property is not supported
- languages list is empty
- plugins list is empty
- localStorage and sessionStorage are not available
frida- A boolean flagging if Frida is being used to instrument the app. Frida is a toolkit that fraudsters use to spoof an app at runtime and change its behavior. Note: this signal will always be false for web sessions.
high_risk_plugins- A boolean flagging if the browser has risky plugins installed. For example, the Shockwave Flash plugin would trigger this signal because it has known vulnerabilities, and it was discontinued in 2019.

{
  "model": "suspicious_device",
  "label": "string",
  "attributes": {
    "emulator": "boolean",
    "jailbroken": "boolean",
    "missing_expected_properties": "boolean",
    "frida": "boolean",
    "high_risk_plugins": "boolean",
  }
}

TOR Exit Node

Web iOS Android

The tor_exit_node signal identifies if the public IP of the user is associated with a TOR (The Onion Router) exit node.

The label field is a string.

A true value means the public IP of the user is associated with a TOR exit node.
A false value means the public IP of the user is not associated with a TOR exit node.

{
  "model": "tor_exit_node",
  "label": "string"
}

User Agent Change

Web iOS Android Profile Required

The user_agent_change signal identifies if a user's user agent has changed since the last session.

The label field is a string.

A true value indicates the user agent has changed since the user's most recent previous session.
A false value indicates the user agent has not changed since the user's most recent previous session.
An error value either indicates that there's insufficient data to generate the signal or there was an error processing the signal for the session. If the value of label is error there will be an additional error field inside the object.

The error field is an optional string where the value is one of the following:

Insufficient data: First observed session for user: This signifies the current session is the first observed session for the user; therefore there is no previous session to compare against. In this case, the user_agent_count_* attributes will still be populated.
Insufficient data: Previous session missing signal information: This signifies the previous session is missing data for this signal; therefore the signal change cannot be identified. In this case, the user_agent_count_* attributes will still be populated.
Internal error evaluating rule: This represents a server-side error in the signal generation. In this case the attributes object will be empty, or the attribute values will be null.

The attributes object contains the following fields:

user_agent_count_1_day - A numeric value representing the total count of user agents associated with a user in the past 24 hours.
user_agent_count_1_week - A numeric value representing the total count of user agents associated with a user in the past 1 week.
user_agent_count_4_week - A numeric value representing the total count of user agents associated with a user in the past 4 weeks.
user_agent_count_12_week - A numeric value representing the total count of user agents associated with a user in the past 12 weeks.

{
  "model": "user_agent_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "user_agent_count_1_day": "number",
    "user_agent_count_1_week": "number",
    "user_agent_count_4_week": "number",
    "user_agent_count_12_week": "number",
  }
}

{
  "model": "user_agent_change",
  "label": "string",
  "version": "string",
  "attributes": {
    "user_agent_count_1_day": "number",
    "user_agent_count_1_week": "number",
    "user_agent_count_4_week": "number",
    "user_agent_count_12_week": "number",
  },
  "error": "string"
}

VPN

Web iOS

The vpn signal identifies if the public IP of the user is associated with a VPN (Virtual Private Network) Provider. A VPN creates an encrypted tunnel for your customers that hides their IP address, and encrypts the data sent across the web.

The label field is a string.

A true value means the public IP of the user is associated with a VPN provider.
A false value means the public IP of the user is not associated with a VPN provider.

{
  "model": "vpn",
  "label": "string"
}

Example API Response

{
    "status": "SUCCESS",
    "message": "success",
    "moreInfo": null,
    "profile": {
        "siteId": "form_neuro500",
        "funnel": "unknown",
        "clientId": "CCAD7576-6FFD-4188-87C9-0EB037FEDCEF",
        "deviceId": "bzdVIJWBB79bnzRGjdrm",
        "signals": [
            {
                "version": "2.7",
                "model": "familiarity",
                "label": "medium",
                "score": 48.05
            },
            {
                "version": "1.0",
                "model": "fraud_ring_indicator",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "automated_activity",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "combined_digital_intent",
                "label": "neutral",
                "score": 0.5
            },
            {
                "version": "1.0",
                "model": "risky_device",
                "label": "false",
                "score": 0.0
            },
            {
                "version": "1.0",
                "model": "bot_framework",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "device_reputation",
                "label": "false",
                "attributes": {
                    "customer_blocklist": false,
                    "global_blocklist": false
                }
            },
            {
                "version": "1.0",
                "model": "device_velocity",
                "label": "false",
                "attributes": {
                    "sessions_per_device_count_1_day": 1,
                    "sessions_per_device_count_1_week": 1,
                    "sessions_per_device_count_4_week": 1,
                    "sessions_per_device_count_12_week": 1
                }
            },
            {
                "version": "1.0",
                "model": "incognito",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "public_proxy",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "suspicious_device",
                "label": "false",
                "attributes": {
                    "emulator": false,
                    "jailbroken": false,
                    "missing_expected_properties": false
                }
            },
            {
                "version": "1.0",
                "model": "tor_exit_node",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "vpn",
                "label": "false",
                "attributes": {}
            },
            {
                "version": "1.0",
                "model": "ip_address_association",
                "label": "false",
                "attributes": {
                    "aws_ip_set": false,
                    "azure_china_ip_set": false,
                    "azure_germany_ip_set": false,
                    "azure_government_ip_set": false,
                    "azure_public_ip_set": false,
                    "digital_ocean_ip_set": false,
                    "google_ip_set": false,
                  	"oracle_ip_set": false,
                    "vultr_ip_set": false
                }
            },
            {
                "version": "1.0",
                "model": "ip_blocklist",
                "label": "false",
                "attributes": {
                    "customer_blocklist": false,
                    "global_blocklist": false,
                    "partner_blocklist": false
                }
            }
        ],
        "id": "example-response-1"
    }
}

Behavior Analytics

ATO Risk

Automated Activity

Behavioral Analytics Recognition

Combined Digital Intent

Custom Attributes

❗️Important note on target names in regards to custom attributes

Custom Attribute Example Response

Custom Attribute Data Dictionary

Familiarity (v3)

Fraud Ring Indicator

Remote Access

Risky Device

Session Login Fraud Ring Indicator

Device & Network Intelligence

Bot Framework

Browser Type Change

Browser Version Change

Country Change

Device Reputation

Device Type Change

Device Velocity

Factory Reset

GPS Spoofing

Incognito

IP Address Association

IP Address Change

IP Blocklist

Blocklisting from a Known List

Multiple IDs Per Device

Multiple Users Per Device

New Device

OS Type Change

OS Version Change

Public Proxy

Rapid Location Change

Suspicious Device

TOR Exit Node

User Agent Change

VPN

Example API Response

❗️
Important note on target names in regards to custom attributes