Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.
Meet Rippling Behavioral Detection Rules: Better security, automated
In this article
How rules are triggered
When a user signs in, Rippling will run their IP address details through the custom rules you’ve set up in your company’s security settings.
If a user is blocked from signing in, your admins will get an email notification. This will show which triggered rules caused the restriction. If the sign-in looks legitimate, you’ll be able to unblock the employee.
Which rules are included
For behavioral detection, we’ve baked in two default rules for all new Rippling accounts. They protect against common security risks, like brute force attacks and traffic from Tor Exit Nodes.
The first of these default rules will be triggered after 5 consecutive incorrect attempts. Even if the password is right on the sixth attempt, the sign-in will still be blocked. The second default rule will block any traffic from Tor exit nodes.
In addition to these default rules, you can choose custom triggers for different groups within your organization. Rippling supports triggers for when a user tries to sign in:
From a specific IP address type
From a new city
From a new state
From a new country
Using a new IP address
From pre-approved VPN IP addresses
Using an IP address not listed in a predetermined list
After a specified number of incorrect attempts
With an impossible velocity between 2 successive attempts
And remember, you can combine multiple triggers for your rules.
Taking action
When a rule is triggered, an action occurs in response. You, as the administrator, can choose actions to correspond with rules. Rippling supports the following actions:
Allow the user access, using an “allowlist”
Limit session lifetime, which will override session lifetimes defined in other apps
Require an additional factor for MFA
Block the user’s access
In the last of these, you can select how severely to block a user. It can be for just a single attempt. It can be for a period of time, ranging from 15 minutes to a full day. Or you can simply block a user until an admin goes in and manually unblocks them.
Disclaimer
Author
Sam Gnesin
Product Lead
See Rippling in action
Increase savings, automate busy work, and make better decisions by managing HR, IT, and Finance in one place.