> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Playbook for using Auth0's Bot Detection monitoring feature in the Security Center

# Bot Detection Playbook

<Card title="Before you start">
  You must enable [Bot Detection](/docs/secure/attack-protection/bot-detection) and configure a [CAPTCHA provider](/docs/secure/attack-protection/bot-detection/configure-captcha).
</Card>

Auth0's [Bot Detection monitoring feature](/docs/secure/security-center#bot-detection) is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.

#### Find log events of interest

When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable [log streaming](/docs/customize/log-streams) and connect it to the external tool of your choice.

The following [log event types](/docs/deploy-monitor/logs/log-event-type-codes) are relevant when investigating an uptick in bot activity.

<table class="table">
  <thead>
    <tr>
      <th>Log Event Type</th>
      <th>Description</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>pla</code></td>
      <td>Generated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots.</td>
    </tr>

    <tr>
      <td><code>fu</code></td>
      <td>Failed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts.</td>
    </tr>

    <tr>
      <td><code>fp</code></td>
      <td>Failed user login events due to invalid password, which can indicate attempted credential stuffing attacks.</td>
    </tr>

    <tr>
      <td><code>pwd\_leak</code></td>
      <td>Attempted login events with a leaked password, which can indicate attempted credential stuffing attacks.</td>
    </tr>

    <tr>
      <td><code>limit\_wc</code></td>
      <td>IP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot.</td>
    </tr>

    <tr>
      <td><code>limit\_sul</code></td>
      <td>User block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity.</td>
    </tr>

    <tr>
      <td><code>limit\_mu</code></td>
      <td>IP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity.</td>
    </tr>

    <tr>
      <td><code>fcoa</code></td>
      <td>Failed cross-origin authentication events, which indicates attackers using automation to perform account takeovers.</td>
    </tr>

    <tr>
      <td><code>scoa</code></td>
      <td>Successful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users.</td>
    </tr>
  </tbody>
</table>

#### Attack response

While setting the <Tooltip tip="Bot Detection: Form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process." cta="View Glossary" href="/docs/glossary?term=Bot+Detection">Bot Detection</Tooltip> level to High immediately mitigates the attack, a comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:

* **User friction:** evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
* **Technical capacity**: assess your ability to implement IP blocking, WAF rules, and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> enforcement.

Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection.

#### Mitigation strategies

For optimal protection from attacks, consider the following strategies:

* Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
* Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another [supported provider](/docs/secure/attack-protection/bot-detection/configure-captcha).
* If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
* Change your web application firewall rules with an edge provider or use [tenant access control lists](/docs/secure/tenant-access-control-list) to block abusive IPs, autonomous system numbers, geographic locations, [TLS clients](/docs/customize/custom-domains/self-managed-certificates/tls-ssl), or HTTP header elements like `user-agent` strings, and consider employing a [reverse proxy.](/docs/customize/custom-domains/self-managed-certificates#configure-reverse-proxy)
* Tighten [Brute Force](/docs/secure/attack-protection/brute-force-protection) and [Suspicious IP](/docs/secure/attack-protection/suspicious-ip-throttling) thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the [Brute Force playbook](/docs/secure/attack-protection/playbooks/brute-force-protection-playbook).
* Disable unused endpoints by modifying your [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication) settings. If you suspect breached password attacks, read the [Breached Password playbook](/docs/secure/attack-protection/playbooks/breached-password-playbook).
* Enforce [step-up MFA](/docs/secure/multi-factor-authentication/step-up-authentication) for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
* Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.
