Meet Rippling Behavioral Detection Rules: Better security, automated


Jun 15, 2021

Protecting employees and company data from unauthorized access is a top priority for every team. While multi-factor authentication can be very effective, it’s not always the right tool for the job. That’s why we’re proud to announce behavioral detection rules.

Behavioral detection joins Rippling’s robust identity management solution to make signing in even more secure. It gives your team tons of flexibility governing access to Rippling and the other applications that your company integrates with Rippling.

Why we built behavioral detection rules

Behavioral detection is quickly becoming a standard feature for security, but there were a few gaps we knew Rippling could fill. In addressing these, we’ve made behavioral detection more accessible and powerful than ever before. 

First, we decided that more companies should have access to behavioral detection. Unlike our competitors, who offer behavioral detection as an add-on, we include it for every Rippling customer for free. 

The second issue was rigidity. Other platforms’ behavioral detection rules don’t allow much customization or granularity, which businesses need when trying to balance employee experience with risk tolerance. That’s why Rippling allows you to configure triggers and actions for the use cases that are relevant to your organization.

How behavioral detection rules work

When a user is trying to authenticate, unusual behavior will prompt a trigger. This trigger is attached to a rule, which you and your organization have already set up through Rippling. And that rule causes a specific action to happen—also of your choosing.

You can apply behavioral detection rules to users logging in to Rippling or signing in to Rippling integrated SAML apps, as well as any request that occurs between a web client and the Rippling platform. These rules can apply to specific teams, locations, individuals, or employment types (like contractors). 

Rippling gives you complete control over which triggers are active. When making rules, you can link multiple triggers, too, so that entire patterns are flagged. 

Reviewing rules is easy. You can see which rules are active, even if they’re not triggered, by checking a sign-in’s activity report. All of the relevant, configured rules will be listed there.

How rules are triggered

When a user signs in, Rippling will run their IP address details through the custom rules you’ve set up in your company’s security settings. 

If a user is blocked from signing in, your admins will get an email notification. This will show which triggered rules caused the restriction. If the sign-in looks legitimate, you’ll be able to unblock the employee.

Which rules are included

For behavioral detection, we’ve baked in two default rules for all new Rippling accounts. They protect against common security risks, like brute force attacks and traffic from Tor Exit Nodes.

The first of these default rules will be triggered after 5 consecutive incorrect attempts. Even if the password is right on the sixth attempt, the sign-in will still be blocked. The second default rule will block any traffic from Tor exit nodes.

In addition to these default rules, you can choose custom triggers for different groups within your organization. Rippling supports triggers for when a user tries to sign in:

  • From a specific IP address type 
  • From a new city
  • From a new state
  • From a new country
  • Using a new IP address 
  • From pre-approved VPN  IP addresses
  • Using an IP address not listed in a predetermined list 
  • After a specified number of incorrect attempts
  • With an impossible velocity between 2 successive attempts

And remember, you can combine multiple triggers for your rules.

Taking action

When a rule is triggered, an action occurs in response. You, as the administrator, can choose actions to correspond with rules. Rippling supports the following actions:

  • Allow the user access, using an “allowlist” 
  • Limit session lifetime, which will override session lifetimes defined in other apps
  • Require an additional factor for MFA 
  • Block the user’s access

In the last of these, you can select how severely to block a user. It can be for just a single attempt. It can be for a period of time, ranging from 15 minutes to a full day. Or you can simply block a user until an admin goes in and manually unblocks them.

Security at Rippling

Rippling manages data for thousands of companies—and hundreds of thousands of employees. Security is not only an offering to our customers, but a cornerstone of our business and the products we build. 

Behavioral detection is a part of that promise. At Rippling we use behavioral detection rules for every employee internally. Plus, we enforce MFA using FIDO2 for many departments to ensure we are being responsible custodians of customer data. 

Interested in learning more about behavioral detection rules, or any of our other security measures? Schedule a demo with us today to see the product in action.

last edited: March 26, 2024

The Author

Sam Gnesin

Product Lead