Protect360 dashboard

At a glance: The Protect360 dashboard provides insights about fraudulent traffic and installs blocked due to the application of validation rules.

p360_retargeting_dashboard.png

Related reading: Overview | Raw data | Validation rules

About Protect360 dashboard

The Protect360 dashboard:

  • Displays aggregate fraud data at the account level.
  • Has three dashboard views:
    • Installs (CPI)
    • In-app events (CPA)
    • Anomalies
  • Organizes fraud based on categories, including:
    • Fake versus hijacked installs
    • Fraud blocked in real-time versus fraud identified post-attribution
    • Fraud from UA versus retargeting campaigns
  • Allows you to drill down to further examine fraud events by using the filtering and grouping options.

To view the Protect360 dashboard, in AppsFlyer, go to Dashboard > Protect360. 

Filters and groupings

Filter and groupings window

p360_filters_2.png

The following filtering and grouping options are available:

  • Basic filters:
    • App name
    • Media source
    • Geo
    • Date range (see time zone support)
    • Attribution type: Installs, re-attributions, and/or re-engagements
    • Payable events (available in the In-app events dashboard) 
  • Expanded filters - click on the blue arrow, to the right of the date picker:
    • Agencies
    • Campaigns
    • Channels
  • Grouping options - choose different dimensions to group the fraud data by to get the specific insights you need:
    • Application: Compare the total amount of fraud per each of your apps.
    • Media Source (default): Compare the identified fraud from each of the media sources used by your apps
    • Media Source + Campaign: Compare the identified fraud from all your campaigns across all media sources used by your apps
    • Media Source + Site ID: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps
    • Media Source + Site ID + Campaign: Compare the identified fraud from all publishers (site IDs) across all media sources used by your apps, associated with the relevant campaign names
    • Media source + Geo: (available in the In-app events dashboard): compare the identified fraud from each of the media sources used by your apps associated with the relevant countries
    • Media source + Attribution type: Compare the identified fraud from each of your media sources, associated with the selected attribution type (installs, re-attributions, and/or re-engagements)
    • Geo: compare the identified fraud from all countries

Installs dashboard

The installs dashboard displays LTV-based data, meaning data relating to installs, re-attributions, and re-engagements that occurred during your selected date range.

Dashboard features are described in the sections that follow.

Installs—headline metrics

The headline metrics enable you to see:

  • Estimated savings
  • Total number of fraudulent installs,
  • Number of fraudulent (in-app) events
  • Anomalies

For each KPI, there is a percentage value. This value shows how the presented KPI is in relation to the parallel date range before it. For example, this week compared to last week, or any days selected in the date range compared to the same number of days that came before: if it shows an X% increase in estimated savings, it means the previous parallel date range had X% fewer fraudulent installs, re-attributions, and re-engagements.

Estimated savings

Estimated savings metrics:

  • Displays the value of fraud blocked in real-time or identified post-attribution, to be settled by you with the ad networks. 
  • Uses the formula: Estimated Savings = number of blocked installs X app average eCPI

For more details on how this amount is calculated read this FAQ.

Identified fraudulent attributions

Total identified fraud metrics display the amounts of:

  • Fraudulent installs, re-attributions, and re-engagements blocked in real-time for all the various fraud-blocking reasons.
  • Installs, re-attributions, and re-engagements identified as fraud post-attribution.

Blocked in-app events

Blocked in-app events metrics display the amount of in-app events blocked by AppsFlyer. The events may have been blocked due to belonging to blocked installs, or due to being marked as suspicious post-attribution events.

Installs—charts

Identified fraud trend chart

The identified fraud trend chart displays the number of fraudulent installs, re-attributions, and re-engagements per day, broken down by either:

  • Detection type: Installs blocked in real-time and installs identified as fraud post-attribution.
  • Attribution type: Installs, re-attributions, and re-engagements

The display can be either a line graph or a bar chart.

Hijacked installs attribution correction chart

The hijacked installs attribution correction chart displays media sources that attempted to take credit for installs, re-attributions, and re-engagements, as well as the last valid contributor sources.

You can:

  • Filter by hijacked attributions identified in real-time, post-attribution, or attributions identified via validation rules.
  • Set to which valid sources attribution is corrected or from which hijacked sources attribution was corrected.
  • Change the chart view to a table format, and download the data as a CSV.

Note:

  • This chart is only accessible to advertisers. Agencies and ad networks do not have access.
  • When the hijackings are blocked in real-time, the correct attributions display in AppsFlyer dashboards and reports (not just Protect360). When hijackings are identified post-attribution, the correct attributions are displayed only in Protect360 raw data.

Identified fraud chart

The identified fraud chart displays the types of fraud you experience, by percentage. Fraud breakdown can be by:

  • Block reason
  • Blocked sub-reason
  • Media source
  • Campaign
  • Geo
  • App

Installs—table

Identified fraud breakdown

The Identified fraud breakdown table displays the following data:

  • Fraud blocked in real-time
  • Fraud identified and marked post-attribution
  • Other indications of fraud per media source

The table is presented in a general overview format, as shown in the image that follows.

p360_main_table.png

The dynamic table structure:

  • Lets you click the table settings button to add or remove columns to the table.
    If you make any changes to the table, make sure to click the Save button afterward. 
  • Is per user, so every team member with access to Protect360 can personally customize their own table structure. See more table options.

edit_table.jpg

Content of the identified fraud breakdown table
Table Column Description
Groupings
  • [Default] The table and dashboard are grouped by Media source.
  • When selecting a specific media source, the grouping is automatically by both Media source and Site ID.
  • Optional groupings include Campaign, GEO, Channel, agency, and combinations thereof.
Attributions Headline breakdown of blocked and post-attribution fraudulent installs.
Total (A)
  • Total installs = Regular (non-fraudulent) installs + blocked installs
  • Regular installs are available per media source (non-organic) in the Overview dashboard.
Blocked (B)
  • Total number of blocked installs.
  • Note: Organic blocked installs are not shown in the Protect360 dashboard. To see organic blocked installs, use raw data reports.
  • [Default] The table is sorted in descending order using this KPI.
Blocked % (B/A) Blocked installs / Total installs
Post-attribution (C) Installs identified as fraud post-attribution.
Post-attribution % (C/A) Post-attribution installs / Total number of installs
Total fraudulent installs (D) Fraudulent installs, blocked in real-time or identified as fraudulent post-attribution.
Fraudulent installs % (D/A) Fraudulent installs / Total number of installs
Fraud attribution type breakdown The attribution types of the fraudulent installs, broken down into installs, re-attributions, and re-engagements.
Installs Fraud originated from a UA campaign.
Re-attributions Fraud originated from a retargeting campaign that led to an install.
Re-engagements Fraud originated from a retargeting campaign that led to a re-engagement.
Fake Fraudulent installs or re-attributions simulating real user activity - divided by real-time blocks and post-attribution.
Real-time block Fake installs blocked in real-time.
Post-attribution fraud Fake installs identified as fraud post-attribution.
Hijacked Fraudulent last clicks stealing attribution of real user installs - divided by real-time blocks and post-attribution.
Real-time block Hijacked installs blocked in real-time.
Post-attribution fraud Hijacked installs identified as fraud post-attribution.
Validation rules Installs meeting validation rules conditions.
Blocked installs Installs blocked by validation rules.
Blocked attribution Attribution changes of installs due to validation rules.
Fake installs block breakdown Breakdown of blocked and post-attribution fraudulent fake installs usually performed programmatically.
Blocked site ID denylist Installs blocked due to Protect360 denylisting the SiteID.
Post-attribution site ID denylist Installs marked as fraud due to Protect360 post-attribution denylisting of the SiteID.
Blocked bots Blocked installation attempts made by automatic bots.
Post-attribution bots Installs marked as fraud due to identified automatic bots activities post-attribution
Blocked behavioral anomalies Installs blocked due to behavioral anomalies, meaning, abnormal session and in-app event performance of users.
Post-attribution behavioral anomalies Installs marked as fraud due to behavioral anomalies post-attribution.
Blocked install validation Total installs blocked due to negative store validation.
Hijacked installs block breakdown Breakdown of fraudulent last clicks aimed to steal attribution of real user app installs.
Blocked install hijacking Blocked install hijacking of the source.
Post-attribution install hijacking Install hijacking marked as fraud in post-attribution.
Blocked CTIT anomalies Installs blocked due to CTIT anomalies.
Post-attribution CTIT anomalies CTIT anomalies marked as fraud in post-attribution.
Blocked click flooding Installs blocked due to click flooding (fraud attempts to send large numbers of clicks hoping to deliver the last clicks prior to random installs.)
Post-attribution click flooding Click flooding installs marked as fraud in post-attribution.
Clicks

Clicks from the source

Note: Click data displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly.

Total (E) Total number of legitimate and fraudulent clicks received from the source
Blocked Clicks blocked due to fraud (including capped)
Capped Clicks blocked due to click capping
Impressions

Impressions from the source

Note: Impression data displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly.

Total Total number of legitimate and fraudulent impressions received from the source
Blocked Impressions blocked due to fraud (including capped)
Capped Impressions blocked due to impressions capping
In-App Events

In-app events from the source

Note: This includes in-app events from installs; not re-attributions or re-engagements.

Total (G) Total in-app events
Blocked (H) Blocked in-app events 
% (H/G) Blocked in-app events / total in-app events
Device farm indicators

Indicators of fraudulent device farm activity, using Device ID Reset and Limited Ad Tracking (LAT) fraud.

Note: This includes installs and re-attributions; not re-enagements. 

Installs (I) Installs having a new device ID not known to AppsFlyer.
Installs % (I/A) New device installs / Total number of installs
Loyal user % General KPI indicating if users are real or fake.
Click flooding indicators Indications of click flooding fraud based on abnormal conversion or assist rates, or CTIT time.
Conversion rate (%)

Low percentage compared with the general app conversion rate indicates click flooding fraud.

Note: Conversion rate displays as NA if one of re-engagement or re-attribution is selected as the attribution type without the other. Fix your filter/grouping settings to view the data correctly.

Assists % High percentage compared with other media sources (in the Assists widget on the overview page) indicates click flooding fraud.
Over 60 minutes Normally ~30% of first app launches occur more than 60 minutes after download.
Over 5 hours Normally ~20% of first app launches occur more than 5 hours after download.

Additional table options

  • Click Export CSV to download the table to your desktop in CSV format
  • Click the gear icon to:
    • Change the order of table columns
    • Add or remove the columns described above
    • Add or remove any of your app's recently blocked in-app events. For each added in-app event the following columns are displayed:
Table Column Description
Events Counter (Total) Number of the specific event's blocked occurrences
Unique Users Number of unique users getting the specific event blocked 

Note that uncommon rates of either of these KPIs don't necessarily indicate fraud, as many events get blocked due to fraudulent post-attribution installs.

The in-app event data in the CPI dashboard is LTV-based, meaning it is all the in-app events associated with installs that occurred during the specified date range.

In-app events dashboard

The in-app events dashboard displays activity-based data, meaning data relating to in-app events that occurred during your selected date range, including events from installs that happened before the date range.

Agencies cannot access the In-app events (CPA dashboard). 

Dashboard features are described in the sections that follow.

In-app events—headline metrics

The headline metrics enable you to see:

  • Estimated savings
    • Only available if Payable events is enabled. 
    • Based on the payable events you have configured. 
  • Total number of identified fraudulent IAEs

In-app events—charts

Fraud trend over time chart

The fraud trend over time chart displays the number of events per day, broken down into:

  • Real-time: Fraudulent in-app events blocked in real-time
  • Post-attribution: Fraudulent events identified post-attribution
  • Non-fraud

Top IAE fraud by media source chart

The top in-app event fraud by media source list contains: 

  • The 5 media sources with the highest number of fraudulent in-app events in descending order. 
  • A bar chart for each media source bar that displays the following in-app event types as a percentage of total in-app events:
    • Real-time: Fraudulent in-app events blocked in real-time
    • Post-attribution: Fraudulent events identified post-attribution
    • Non-fraud

In-app event fraud sunburst chart

IAE_pie_chart.gif

The in-app event fraud sunburst chart displays the in-app event fraud breakdown visually.

The innermost (root) ring of the sunburst chart displays in-app events broken down into parent slices: Non-fraud, Fake and Hijacked.

Clicking a parent slice (and subsequent slices in the sunburst hierarchy) displays additional breakdowns of in-app events and media sources. 

The in-app events displayed in the sunburst chart are identical in name and meaning to those in the In-app event fraud breakdown table.

In-app events—table

The In-app event fraud breakdown table displays the following data:

  • Fraud blocked in real-time
  • Fraud identified and marked post-attribution
  • Other indications of fraud per media source

The table is presented in a general overview format, as shown in the image that follows.

IAE_fraud_table.jpg

The dynamic table structure:

  • Lets you click the table settings button to add or remove columns to the table.
    If you make any changes to the table, make sure to click the Save button afterward. 
  • Is per user, so every team member with access to Protect360 can personally customize their own table structure. See more table options.

iae_table_structure.jpg

Content of the in-app event fraud breakdown table
Table Column Description
Groupings
  • [Default] The table and dashboard are grouped by Media source.
  • When selecting a specific media source, the grouping is automatically by both Media source and Site ID.
  • Optional groupings include Campaign, GEO, Channel, agency, and combinations thereof.
In-app events Headline breakdown of blocked and post-attribution fraudulent IAEs.
Total IAE (A)
  • Total IAE = Regular (non-fraudulent) IAEs + blocked IAEs + IAEs identified as fraud post-attribution.
  • Regular IAEs are available per media source (non-organic) in the Overview dashboard.
Total fraudulent IAE (B)
  • Total number of blocked IAEs + IAEs identified as fraud post-attribution.
  • Note: Organic blocked IAEs are not shown in the Protect360 dashboard. To see organic blocked IAEs, use raw data reports.
  • [Default] The table is sorted in descending order using this KPI.
Fraudulent events % (B/A) Fraudulent IAEs/Total IAEs
Fake IAE real-time blocks

Fraudulent IAEs blocked in real-time.

Fake IAE Fake IAE identified as fraud and blocked in real-time.
Fake installs

The original install was identified as fraud and blocked in real-time.

Post-attribution fake installs

The original install was identified as fraud post-attribution, before the IAE. 

Saved from hijacking in real-time IAEs with the original install hijacked by a fraudulent source, that AppsFlyer correctly attributes to the last non-fraudulent source.
Corrected to organic Hijacked installs with the last non-fraudulent source being organic.
Corrected to non-organic source Hijacked installs with the last non-fraudulent source being a non-organic media source.
Post-attribution IAE fraud In-app events identified as fraud post-attribution.
Fake installs IAE occurred before the install was identified as fraud post-attribution. 
Hijacked installs IAE occurred before the install was identified as hijacked, and cannot be correctly attributed post-attribution.
Validation rules IAEs blocked due to meeting validation rules conditions.
Blocked installs IAEs of installs blocked by validation rules.
Blocked IAE IAEs blocked by validation rules.
Corrected to organic Hijacked installs with the last non-fraudulent source being organic.
Corrected to non-organic source Hijacked installs with the last non-fraudulent source being a non-organic media source.

Additional table options

  • Click Export CSV to download the table to your desktop in CSV format
  • Click the gear icon to:
    • Change the order of table columns
    • Add or remove the columns described above

The amount of events shown is activity-based, and not LTV based, meaning it's the exact number of event blocks during the specified date range.

Payable events

Payable events are IAEs that have a cost. Once enabled and configured, the In-app activity dashboard only displays data related to payable events.

To enable Payable events in the In-app activity dashboard:

  • In the Filter by section of the In-app activities dashboard, enable Payable events.

To configure payable events:

  1. In the In-app activities dashboard, click Configure payable events.

    The Configure payable events popup displays.

  2. [Optional] If you configuring a new payable event, click Add new.
  3. Based on which payable IAEs you want to display in the dashboard, select the following from the drop-down menus:
    • Apps
    • In-app events
    • Media sources
    • Campaigns
  4. Enter the CPA of the IAE. 
  5. Click Save.
  6. Click Close. 

Anomalies dashboard

The Anomalies dashboard:

  • Provides insights about media sources that have suspicious Click to Install Time (CTIT) values, or new device ratios, when compared with other media sources.
  • Enables you to use the media-source-level KPIs to receive compensation from the media sources and consider whether to continue working with them or not.
  • Needs you to have traffic from sources that are trusted by AppsFlyer to have low fraud rates. This is to create a baseline to compare other media sources.

CTIT tab

Anomalies_CTIT.png

To view CTIT insights (numbers refer to the preceding screenshot):

  1. Go to Anomalies > CTIT.
  2. Select apps to watch on the page.
  3. Select which countries contribute to the data on the page.
  4. Select the date range of the data on the page.
  5. Turn Exclude post-attribution fraud on to see only blocked fraud, or turn it off to see the full fraud insights.
  6. Select the media source baseline to compare with. The default App Baseline takes into consideration various sources trusted by AppsFlyer, which contribute to your traffic.
  7. Select the time resolution shown in the graph: seconds, minutes, hours or days.
  8. Customize the validation rules to exclude installs with illogical CTIT.
    Note: the validation rules feature must be enabled for your account to perform this.
  9. To see more details, hover over the distinctly colored parts in the graph, which indicates detected CTIT anomalies.
  10. Click to see a visual comparison of CTIT throughout different media sources.
  11. Click the Protect 360 link to go back to the Identified Fraud page.

The CTIT anomalies breakdown table, at the page bottom, displays all the media sources which have CTIT anomalies. Use it to see data about the number and percentage of installs with abnormal CTIT values. With this table you can also export to CSV, add or remove columns or set their order.

New devices tab

anomalies_new_devices

The New devices tab enables you to visually detect media sources and site IDs, which have suspiciously high ratios of new devices installing your app. 

Sources, which are colored in gray, are below the New devices ratio threshold. For the yellow-colored sources, if the color is stronger, it means there's a higher new devices ratio.

The area occupied by a media source represents the total number of its installs, including blocked and post-attribution fraud. 

To view new device insights (numbers refer to the preceding screenshot):

  1. Go to Anomalies > New devices.
  2. Select apps to watch on the page.
  3. Select which countries contribute to the data on the page.
  4. Select the date range of the data on the page.
  5. Set the New devices ratio threshold, above which you consider media sources as suspicious and colored in yellow.
  6. To see more details about a media source, click on it.
    Click on the All media sources link to get back to the view of all media sources.
  7. Click the Installs link to go back to the Installs tab.
  8. You can export the Identified fraud breakdown table, containing new devices data.
Was this article helpful?