Derived Signals
Derived signals are computed by the Humifortis engine by analyzing raw events against entity baselines, behavioral patterns, and contextual enrichment. You do not send these — the engine detects them automatically from the events you submit.
Derived signals fall into two layers:
- AUTH_ signals — operator-visible, playbook-addressable, directly impact the risk score
- FEAT_ signals — engine-internal detectors that feed into AUTH_ signals; not exposed in playbook rules
AUTH_ Signals — Operator-Visible
These signals appear in dashboards, can be referenced in playbook rules, and directly influence enforcement decisions.
| Signal | What it detects |
|---|---|
AUTH_IMPOSSIBLE_TRAVEL | Same user authenticated from two locations that are geographically impossible to reach within the elapsed time |
AUTH_NEW_DEVICE | Login from a device fingerprint not seen for this entity in the past 30 days |
AUTH_ANONYMOUS_NETWORK | Connection via Tor exit node, known VPN provider, or anonymizing proxy |
AUTH_BRUTE_FORCE | Multiple failed logins from the same IP or entity within a short window |
AUTH_DEVICE_COUNTRY_MISMATCH | Device geolocation inconsistent with login location |
AUTH_ANOMALOUS_HOURS | Authentication outside the entity's established activity window |
AUTH_OFF_HOURS_ADMIN | Privileged action (password reset, policy change) performed outside business hours |
AUTH_ACCOUNT_LOCKED | Account locked due to repeated authentication failures |
CREDENTIAL_STRIPPING | Password change followed immediately by MFA device removal — high-confidence account takeover pattern |
ATO_CONSOLIDATION | Email change within minutes of login — account consolidation pattern associated with takeover |
MFA_FATIGUE_PATTERN | Repeated MFA push denials followed by an approval — indicates push fatigue attack |
FEAT_ Signals — Internal Detectors
These are low-level technical detectors used internally by the engine. They are not exposed in dashboards or playbook rules — they feed into AUTH_ signals and are filtered before reaching the policy layer.
| Signal | Purpose |
|---|---|
FEAT_BOT_USER_AGENT | Suspicious automation signatures in the user agent |
FEAT_VELOCITY_BURST | Unusual request rate from the same IP |
FEAT_SESSION_ANOMALY | Session duration or concurrency outside baseline |
FEAT_IDP_SWITCH | Identity provider changed between consecutive events |
FEAT_ANOMALOUS_HOUR | Raw hour-of-day deviation from entity baseline |
FEAT_NO_MFA_AMPLIFIER | MFA not used in a context where it was expected |
FEAT_MATH_FPU_COLLISION | FPU class inconsistent with declared platform (e.g. ARM FPU on a reported Windows device) |
How They Work Together
Raw events (from your connector or API)
│
▼
FEAT_ detectors run first
(noise filtering, baseline checks, device integrity)
│
▼
AUTH_ signals computed
(visible, playbook-addressable)
│
▼
Risk score updated
│
▼
Playbook evaluated → ALLOW / CHALLENGE_MFA / BLOCK
The separation keeps the policy layer clean: playbook rules only reference AUTH_ signals, which are stable and meaningful. FEAT_ signals handle the messy low-level work internally.
See Also
- Feature Variables — the input features the engine extracts from each event
- Playbook Engine — how AUTH_ signals drive enforcement rules
- Signal Taxonomy — naming conventions and architecture