> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the tenant log events we use to identify patterns that are usually an indicator of known attack types.

# Metrics

Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: normal traffic, credential stuffing threats, signup attack threats, and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> bypass threats.

<Warning>
  Classification of event type codes may change. Avoid implementing solutions dependent on the current log event code definitions.
</Warning>

## Normal traffic

We use normal traffic to establish a benchmark against different threat types we may observe. Normal traffic includes all successful and failed events for a given hour, which includes the following event codes:

<table class="table">
  <thead>
    <tr>
      <th>Event code</th>
      <th>Event</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>s</code></td>
      <td>Successful login</td>
    </tr>

    <tr>
      <td><code>ss</code></td>
      <td>Successful signup</td>
    </tr>

    <tr>
      <td><code>sepft</code></td>
      <td>Successful exchange of password for access token</td>
    </tr>

    <tr>
      <td><code>f</code></td>
      <td>Failed user login</td>
    </tr>

    <tr>
      <td><code>fu</code></td>
      <td>Failed user login due to invalid username</td>
    </tr>

    <tr>
      <td><code>fp</code></td>
      <td>Failed user login due to invalid password</td>
    </tr>

    <tr>
      <td><code>pwd\_leak</code></td>
      <td>Attempted login with a leaked password</td>
    </tr>
  </tbody>
</table>

## Credential stuffing

We identify credential stuffing threats within a single hour with the following event codes:

<table class="table">
  <thead>
    <tr>
      <th>Event code</th>
      <th>Event</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>f</code></td>
      <td>Failed user login</td>
    </tr>

    <tr>
      <td><code>fu</code></td>
      <td>Failed user login due to invalid username</td>
    </tr>

    <tr>
      <td><code>fp</code></td>
      <td>Failed user login due to invalid password</td>
    </tr>

    <tr>
      <td><code>pwd\_leak</code></td>
      <td>Attempted login with a leaked password</td>
    </tr>

    <tr>
      <td><code>limit\_wc</code></td>
      <td>IP blocked for >10 failed login attempts to a single account</td>
    </tr>

    <tr>
      <td><code>limit\_sul</code></td>
      <td>User blocked for >20 login per minute from the same IP address</td>
    </tr>

    <tr>
      <td><code>limit\_mu</code></td>
      <td>IP blocked for >100 failed login attempts or >50 signup attempts</td>
    </tr>
  </tbody>
</table>

## Signup attack

We identify signup attack threats within a single hour with the following event codes:

<table class="table">
  <thead>
    <tr>
      <th>Event code</th>
      <th>Event</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>fs</code></td>
      <td>Failed signup</td>
    </tr>
  </tbody>
</table>

## MFA bypass

We identify MFA bypass threats within a single hour with the following event codes:

<table class="table">
  <thead>
    <tr>
      <th>Event code</th>
      <th>Event</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>gd\_send\_email</code></td>
      <td>Sent email</td>
    </tr>

    <tr>
      <td><code>gd\_send\_pn</code></td>
      <td>Sent push notification</td>
    </tr>

    <tr>
      <td><code>gd\_send\_sms</code></td>
      <td>Sent SMS</td>
    </tr>

    <tr>
      <td><code>gd\_send\_voice</code></td>
      <td>Sent voice call</td>
    </tr>

    <tr>
      <td><code>gd\_auth\_failed</code></td>
      <td>Failed OTP authentication</td>
    </tr>

    <tr>
      <td><code>gd\_auth\_rejected</code></td>
      <td>Rejected OTP authentication</td>
    </tr>

    <tr>
      <td><code>gd\_otp\_rate\_limit\_exceed</code></td>
      <td>Too many OTP authentication failures</td>
    </tr>

    <tr>
      <td><code>gd\_recovery\_failed</code></td>
      <td>Failed recovery</td>
    </tr>

    <tr>
      <td><code>gd\_recovery\_rate\_limit\_exceed</code></td>
      <td>Too many recovery failures</td>
    </tr>

    <tr>
      <td><code>gd\_webauthn\_challenge\_failed</code>.</td>
      <td>WebAuthn browser failure</td>
    </tr>
  </tbody>
</table>
