{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Journeys","product":"Identity Management","type":"markdown"},"seo":{"title":"Risk Level Analysis","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"risk-level-analysis","__idx":0},"children":["Risk Level Analysis"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge-wrapper"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Client SDK"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Mobile approve"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["SSO"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Sub-journey"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Evaluates real-time risk indicators for identity-driven threats and exposes them to the journey"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"description","__idx":1},"children":["Description"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step evaluates user interactions in real time using ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/identity_threat_protection"},"children":["Identity Threat Protection"]},", returns a set of discrete risk indicators, and branches the journey based on the rule engine outcome. To analyze risk level using this step:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Ensure ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identity Threat Protection"]}," is enabled as the risk engine for your tenant. Contact your Customer Success Manager to enable it."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Configure evaluation ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/risk/rules"},"children":["rules"]}," under ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Journey Tools"]},"."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Initialize Orchestration SDK with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["collectRiskData"]}," set to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]},". For Web, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/sdk-ref/idosdk/overview#initialization"},"children":["SDK initialization"]},". "]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Upon detection, the risk signal is evaluated against the rule engine, which maps the signal to an ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow"]},", ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deny"]},", or ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom"]}," decision. The step branches accordingly:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow (rule-based)"]},": The matched rule allows the interaction. The journey proceeds along the Allow branch."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deny (rule-based)"]},": The matched rule denies the interaction. The journey proceeds along the Deny branch."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom"]},": No rule matched. The journey proceeds along the Custom branch, you can use ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/condition"},"children":["Condition"]}," steps with ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["@std.contains()"]}," expressions to check for specific risk factors."]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Note"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Identity Threat Protection returns risk indicators, not a full recommendation. If you need ML-driven recommendations, risk scoring, or full analytics, use the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/risk_recommendation"},"children":["Risk Recommendation"]}," step with ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/risk/overview"},"children":["Fraud Prevention"]}," instead."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configuration","__idx":2},"children":["Configuration"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":""},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Field"]}]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":""},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Description"]}]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Action type"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Specifies the action being evaluated for risk, such as ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["login"]},", or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["register"]},"."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable used to store the result data from the completed step, including a list of risk signals, reasons and applied rule."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Error behavior"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Determines the behavior in case an unexpected error occurs during the process. You can choose to either abort the journey (default) or handle errors using a dedicated error branch."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Journey event data"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/getting-started/event_reporting"},"children":["Additional data reporting"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"output","__idx":3},"children":["Output"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The output variable contains the risk evaluation result and, if a rule matched, the rule decision. For example:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n \"risk_analysis\": {\n \"risk_result\": {\n \"context\": {\n \"action_id\": \"735a3fd1f1103b5ed64b..\",\n \"action_type\": \"login\",\n \"action_performed_at\": 1779463611509,\n \"device_timestamp\": 1779463611509,\n \"device_id\": \"eyJhbGciOiJIUzI1NiIsI..\",\n \"correlation_id\": \"N/A\",\n \"device_public_key\": null,\n \"user_id\": null,\n \"location\": \"https://example.com/login\",\n \"ip\": \"185.220.101.34\",\n \"ip_country\": \"DE\",\n \"ip_location_region\": \"Hesse\",\n \"ip_location_city\": \"Frankfurt am Main\",\n \"ip_location_zip\": \"60306\",\n \"ip_location_longitude\": \"8.68417\",\n \"ip_location_latitude\": \"50.11552\",\n \"ip_asn_name\": \"Zwiebelfreunde e.V.\",\n \"ip_asn_id\": \"AS47163\",\n \"ip_organization_name\": \"Zwiebelfreunde e.V.\",\n \"ip_organization_type\": \"hosting\",\n \"ip_location_timezone\": \"Europe/Berlin\",\n \"device_timezone\": \"N/A\",\n \"device_languages\": [],\n \"device_platform\": \"desktop\",\n \"os_name\": \"Mac OS\",\n \"os_version\": \"10.15.7\",\n \"browser_name\": \"Chrome\",\n \"browser_version\": \"N/A\",\n \"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\"\n },\n \"risk_signals\": {\n \"device\": {\n \"ram\": null,\n \"total_storage\": null,\n \"available_storage\": null,\n \"battery_level\": null,\n \"core_number\": null,\n \"graphic_card\": \"N/A\",\n \"model\": \"Macintosh\",\n \"screen_height\": null,\n \"screen_width\": null,\n \"screen_color_depth\": null,\n \"screen_pixel_depth\": null,\n \"incognito\": false,\n \"private_browser\": false,\n \"tampered\": true,\n \"emulated\": false,\n \"spoofed\": true,\n \"tz_mismatch\": false,\n \"esim_usage\": null,\n \"accept_languages\": \"en-US,en;q=0.9\",\n \"mobile_network_code\": null,\n \"screen_avail_width\": null,\n \"screen_avail_height\": null,\n \"font_count\": null,\n \"cpu_arch\": null,\n \"navigator_useragent\": null,\n \"true_useragent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36\",\n \"device_timezone_offset\": null,\n \"device_name\": null,\n \"summer_timezone_offset\": null,\n \"winter_timezone_offset\": null,\n \"device_power_state\": null\n },\n \"network\": {\n \"vpn\": false,\n \"tor\": true,\n \"hosting\": true,\n \"proxy\": false,\n \"anonymizer\": false,\n \"x_forwarded_for\": [\n \"203.0.113.42\"\n ]\n },\n \"history\": {\n \"ip_action_rate_60_sec\": 1,\n \"user_action_rate_60_sec\": 0,\n \"device_action_rate_60_sec\": 1,\n \"ip_device_count_last_hour\": 0,\n \"ip_user_count_last_hour\": 0,\n \"linking_user_to_device_count\": 0,\n \"linking_device_to_users_count\": 0\n }\n },\n \"reasons\": [\n \"DENY_BY_Risky devices\",\n \"IP_RISKY_REPUTATION\",\n \"DEVICE_RISKY_REPUTATION\"\n ]\n },\n \"rule_decision\": {\n \"decision\": \"deny\",\n \"matched_rule\": {\n \"rule_id\": \"c07b5448-2279-45f2-aba2-4311802b1854\",\n \"rule_name\": \"Risky devices\"\n }\n }\n }\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example","__idx":4},"children":["Example"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Consider a login journey that adapts its flow based on real-time risk indicators. After the user authenticates, the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Risk Level Analysis"]}," step evaluates the interaction and branches based on the rule engine outcome:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Allow branch"]},": The rule engine determined the interaction is safe. The journey proceeds directly to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Complete journey"]}," step."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Deny branch"]},": The rule engine determined the interaction is malicious. The journey moves to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Reject access"]}," step."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Custom branch"]},": No rule matched. The journey uses a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/condition"},"children":["Condition"]}," step to check for specific risk factors in the output. For example, the expression ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["@std.contains(risk_analysis.risk_result.reasons.IP_RISKY_REPUTATION)"]}," checks whether IP address is compromized and branches accordingly."]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can chain multiple ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Condition"]}," steps on the Custom branch to evaluate additional risk factors sequentially. For example, after ruling out risky IP addresses, a second condition can check for ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["DEVICE_NEW"]}," and branch to a step-up authentication step (such as Email OTP Authentication) if a new device is detected."]}]},"headings":[{"value":"Risk Level Analysis","id":"risk-level-analysis","depth":1},{"value":"Description","id":"description","depth":2},{"value":"Configuration","id":"configuration","depth":2},{"value":"Output","id":"output","depth":2},{"value":"Example","id":"example","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"redirects":{"/guides/orchestration/journeys/citadel/":{}},"seo":{"title":"Risk Level Analysis"}},"lastModified":"2026-05-26T06:26:01.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/orchestration/journeys/risk_level_analysis","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}