Meet Rippling Behavioral Detection Rules: Better security, automated

Author

Author

Sam Gnesin

Published

June 15, 2021

Updated

June 18, 2025

Read time

2 MIN

In this article

How rules are triggered

When a user signs in, Rippling will run their IP address details through the custom rules you’ve set up in your company’s security settings.

If a user is blocked from signing in, your admins will get an email notification. This will show which triggered rules caused the restriction. If the sign-in looks legitimate, you’ll be able to unblock the employee.

Which rules are included

For behavioral detection, we’ve baked in two default rules for all new Rippling accounts. They protect against common security risks, like brute force attacks and traffic from Tor Exit Nodes.

The first of these default rules will be triggered after 5 consecutive incorrect attempts. Even if the password is right on the sixth attempt, the sign-in will still be blocked. The second default rule will block any traffic from Tor exit nodes.

In addition to these default rules, you can choose custom triggers for different groups within your organization. Rippling supports triggers for when a user tries to sign in:

From a specific IP address type
From a new city
From a new state
From a new country
Using a new IP address
From pre-approved VPN IP addresses
Using an IP address not listed in a predetermined list
After a specified number of incorrect attempts
With an impossible velocity between 2 successive attempts

And remember, you can combine multiple triggers for your rules.

Taking action

When a rule is triggered, an action occurs in response. You, as the administrator, can choose actions to correspond with rules. Rippling supports the following actions:

Allow the user access, using an “allowlist”
Limit session lifetime, which will override session lifetimes defined in other apps
Require an additional factor for MFA
Block the user’s access

In the last of these, you can select how severely to block a user. It can be for just a single attempt. It can be for a period of time, ranging from 15 minutes to a full day. Or you can simply block a user until an admin goes in and manually unblocks them.

Disclaimer

Rippling and its affiliates do not provide tax, accounting, or legal advice. This material has been prepared for informational purposes only, and is not intended to provide or be relied on for tax, accounting, or legal advice. You should consult your own tax, accounting, and legal advisors before engaging in any related activities or transactions.

Hubs

Author

Sam Gnesin

Product Lead

Explore more

Graphic illustration of ripples formed with converging lines

Aug 21, 2025

11 min

What is threat detection and response (TDR)? Complete guide

Learn about threat detection and response and its importance in protecting your business. Get best practices for responding to security threats.

Aug 21, 2025

10 min

Endpoint protection: The impact of AI and ML on threat detection

Explore the impact of AI and ML on modern endpoint protection, enabling organizations to detect and respond to advanced threats efficiently and effectively.

Aug 21, 2025

7 min

7 powerful (yet simple) steps to secure your Rippling tenant

Your HRIS holds sensitive data, which is why we built powerful IT products on our platform to secure your company and still keep your teams productive.