Filter and groupings window

The following filtering and grouping options are available:

• Basic filters:
  • App name. Note: Apps with only organic installs can't be selected.
  • Source type: Non-organic and/or organic
  • Media source
  • Geo
  • Date range (see time zone support)
  • Attribution type: Installs, re-attributions, and/or re-engagements
  • Payable events (available in the In-app events dashboard) 
• Expanded filters - click on the blue arrow, to the right of the date picker:
  • Agencies
  • Campaigns
  • Channels
• Grouping options - choose different dimensions to group the fraud data by to get the specific insights you need:
  • Application: Compare the total amount of fraud per each of your apps.
  • Media Source (default): Compare the identified fraud from each of the media sources used by your apps
  • Media Source + Campaign: Compare the identified fraud from all your campaigns across all media sources used by your apps
  • Media Source + Site ID: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps
  • Media Source + Site ID + Campaign: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps, associated with the relevant campaign names
  • Media source + Geo: (available in the In-app events dashboard): compare the identified fraud from each of the media sources used by your apps associated with the relevant countries
  • Media source + Attribution type: Compare the identified fraud from each of your media sources, associated with the selected attribution type (installs, re-attributions, and/or re-engagements)
  • Geo: compare the identified fraud from all countries

The headline metrics enable you to see:

• Estimated savings
• Total number of fraudulent installs,
• Number of fraudulent (in-app) events
• Anomalies

For each KPI, there is a percentage value. This value shows how the presented KPI is in relation to the parallel date range before it. For example, this week compared to last week, or any days selected in the date range compared to the same number of days that came before: if it shows an X% increase in estimated savings, it means the previous parallel date range had X% fewer fraudulent installs, re-attributions, and re-engagements.

Estimated savings

Estimated savings metrics:

• Displays the value of fraud blocked in real-time or identified post-attribution, to be settled by you with the ad networks. 
• Uses the formula: Estimated Savings = number of blocked installs X app average eCPI.
• Are not relevant for organic traffic.

For more details on how this amount is calculated read this FAQ.

Identified fraudulent attributions

Total identified fraud metrics display the amounts of:

• Fraudulent installs, re-attributions, and re-engagements blocked in real-time for all the various fraud-blocking reasons.
• Installs, re-attributions, and re-engagements identified as fraud post-attribution.

Blocked in-app events

Blocked in-app events metrics display the amount of in-app events blocked by AppsFlyer. The events may have been blocked due to belonging to blocked installs, or due to being marked as suspicious post-attribution events.

Identified fraud trend chart

The identified fraud trend chart displays the number of fraudulent installs, re-attributions, and re-engagements per day, broken down by either:

• Detection type: Installs blocked in real-time and installs identified as fraud post-attribution.
• Attribution type: Installs, re-attributions, and re-engagements
• Source type: Non-organic and organic

The display can be either a line graph or a bar chart.

Hijacked installs attribution correction chart

The hijacked installs attribution correction chart displays media sources that attempted to take credit for installs, re-attributions, and re-engagements, as well as the last valid contributor sources.

You can:

• Filter by hijacked attributions identified in real-time, post-attribution, or attributions identified via validation rules.
• Set to which valid sources attribution is corrected or from which hijacked sources attribution was corrected.
• Change the chart view to a table format, and download the data as a CSV.

Note:

• This chart is only accessible to advertisers. Agencies and ad networks do not have access.
• When the hijackings are blocked in real-time, the correct attributions display in AppsFlyer dashboards and reports (not just Protect360). When hijackings are identified post-attribution, the correct attributions are displayed only in Protect360 raw data.
• This chart can display correction to organic, but not from organic. 

Identified fraud chart

The identified fraud chart displays the types of fraud you experience, by percentage. Fraud breakdown can be by:

• Block reason
• Blocked sub-reason
• Media source
• Campaign
• Geo
• App

Identified fraud breakdown

The Identified fraud breakdown table displays the following data:

• Fraud blocked in real-time
• Fraud identified and marked post-attribution
• Other indications of fraud per media source

The table is presented in a general overview format, as shown in the image that follows.

The dynamic table structure:

• Lets you click the table settings button to add or remove columns to the table.
  If you make any changes to the table, make sure to click the Save button afterward. 
• Is per user, so every account user with access to Protect360 can personally customize their own table structure. See more table options.

Content of the identified fraud breakdown table

Additional table options

• Click Export CSV to download the table to your desktop in CSV format
• Click the gear icon to:
  • Change the order of table columns
  • Add or remove the columns described above
  • Add or remove any of your app's recently blocked in-app events. For each added in-app event the following columns are displayed:

Note that uncommon rates of either of these KPIs don't necessarily indicate fraud, as many events get blocked due to fraudulent post-attribution installs.

The in-app event data in the CPI dashboard is LTV-based, meaning it is all the in-app events associated with installs that occurred during the specified date range.

The headline metrics enable you to see:

• Estimated savings
  • Only available if Payable events is enabled. 
  • Based on the payable events you have configured. 
• Total number of identified fraudulent IAEs

Fraud trend over time chart

The fraud trend over time chart displays the number of events per day, broken down into:

• Real-time: Fraudulent in-app events blocked in real-time
• Post-attribution: Fraudulent events identified post-attribution
• Non-fraud

Top IAE fraud by media source chart

The top in-app event fraud by media source list contains: 

• The 5 media sources with the highest number of fraudulent in-app events in descending order. 
• A bar chart for each media source bar that displays the following in-app event types as a percentage of total in-app events:
  • Real-time: Fraudulent in-app events blocked in real-time
  • Post-attribution: Fraudulent events identified post-attribution
  • Non-fraud

In-app event fraud sunburst chart

The in-app event fraud sunburst chart displays the in-app event fraud breakdown visually.

The innermost (root) ring of the sunburst chart displays in-app events broken down into parent slices: Non-fraud, Fake and Hijacked.

Clicking a parent slice (and subsequent slices in the sunburst hierarchy) displays additional breakdowns of in-app events and media sources. 

The in-app events displayed in the sunburst chart are identical in name and meaning to those in the In-app event fraud breakdown table.

The In-app event fraud breakdown table displays the following data:

• Fraud blocked in real-time
• Fraud identified and marked post-attribution
• Other indications of fraud per media source

The table is presented in a general overview format, as shown in the image that follows.

The dynamic table structure:

• Lets you click the table settings button to add or remove columns to the table.
  If you make any changes to the table, make sure to click the Save button afterward. 
• Is per user, so every account user with access to Protect360 can personally customize their own table structure. See more table options.

Content of the in-app event fraud breakdown table

Additional table options

• Click Export CSV to download the table to your desktop in CSV format
• Click the gear icon to:
  • Change the order of table columns
  • Add or remove the columns described above

The amount of events shown is activity-based, and not LTV based, meaning it's the exact number of event blocks during the specified date range.

Payable events are IAEs that have a cost. Once enabled and configured, the In-app activity dashboard only displays data related to payable events.

To enable Payable events in the In-app activity dashboard:

• In the Filter by section of the In-app activities dashboard, enable Payable events.
  

  

To configure payable events:

1. In the In-app activities dashboard, click Configure payable events.
   

   

   The Configure payable events popup displays.

   

2. [Optional] If you configuring a new payable event, click Add new.
3. Based on which payable IAEs you want to display in the dashboard, select the following from the drop-down menus:
   • Apps
   • In-app events
   • Media sources
   • Campaigns
4. Enter the CPA of the IAE. 
5. Click Save.
6. Click Close. 

To view CTIT insights (numbers refer to the preceding screenshot):

1. Go to Anomalies > CTIT.
2. Select apps to watch on the page.
3. Select which countries contribute to the data on the page.
4. Select the date range of the data on the page. 
5. You can see up to 180 days back.
   Note: The 180 days started on April 6, so until 180 days have passed from then, less than 180 days is available.
6. Turn on Exclude post-attribution fraud to see only blocked fraud, or turn it off to see the full fraud insights.
7. Select the media source baseline to compare with. The default App Baseline takes into consideration various sources trusted by AppsFlyer, which contribute to your traffic.
8. Select the time resolution shown in the graph: seconds, minutes, hours or days.
9. Customize the validation rules to exclude installs with illogical CTIT.
   Note: the validation rules feature must be enabled for your account to perform this.
10. To see more details, hover over the distinctly colored parts in the graph, which indicates detected CTIT anomalies.
    Note: Only ad networks for which we have enough data to make accurate comparisons are shown.
11. Click the Protect 360 link to go back to the Identified Fraud page.

The CTIT anomalies breakdown table, at the page bottom, displays all the media sources which have CTIT anomalies. Use it to see data about the number and percentage of installs with abnormal CTIT values. With this table you can also export to CSV, add or remove columns or set their order.

The New devices tab enables you to visually detect media sources and site IDs, which have suspiciously high ratios of new devices installing your app. 

Sources, which are colored in gray, are below the New devices ratio threshold. For the yellow-colored sources, if the color is stronger, it means there's a higher new devices ratio.

The area occupied by a media source represents the total number of its installs, including blocked and post-attribution fraud. 

To view new device insights (numbers refer to the preceding screenshot):

1. Go to Anomalies > New devices.
2. Select apps to watch on the page.
3. Select which countries contribute to the data on the page.
4. Select the date range of the data on the page. 
5. Set the New devices ratio threshold, above which you consider media sources as suspicious and colored in yellow.
6. To see more details about a media source, click on it.
   Click on the All media sources link to get back to the view of all media sources.
7. Click the Installs link to go back to the Installs tab.
8. You can export the Identified fraud breakdown table, containing new devices data.