auth0 · nick-gagliardi · Dec 18, 2025 · Dec 15, 2025 · Dec 18, 2025 · Dec 18, 2025
diff --git a/...96722ce86bc00cc7f58d1e04e1fd006/MFA_success_rate_threshold_editor_-_english.png b/...96722ce86bc00cc7f58d1e04e1fd006/MFA_success_rate_threshold_editor_-_english.png
diff --git a/...h8z/2hyZMfdrGwVZxKtuV4ZOR3/f1795066d12eb02550da8f4eb0f00fd5/Threat_Behavior.png b/...h8z/2hyZMfdrGwVZxKtuV4ZOR3/f1795066d12eb02550da8f4eb0f00fd5/Threat_Behavior.png
diff --git a/...fh8z/6ywLqRG3zUAMwkAEGDoDoU/c24aa46d823ae702861ef57ee14dd9e6/Authentication.png b/...fh8z/6ywLqRG3zUAMwkAEGDoDoU/c24aa46d823ae702861ef57ee14dd9e6/Authentication.png
diff --git a/main/docs/images/cdy7uua7fh8z/Threat_Monitoring/Threat_Monitoring.png b/main/docs/images/cdy7uua7fh8z/Threat_Monitoring/Threat_Monitoring.png
diff --git a/main/docs/secure/security-center.mdx b/main/docs/secure/security-center.mdx
@@ -10,7 +10,7 @@ title: Security Center
 'twitter:description': Learn about Security Center, which provides observability tools
   that empower you to see potential attack trends and quickly respond to them in real-time.
 'twitter:title': Security Center
----
+--- 
 Security Center provides observability tools that allow you to see potential attack trends and quickly respond to them in real-time. Security Center provides real-time monitoring that allows you to observe your own Customer Identity and Access Management (CIAM) anomaly detection metrics, and lets you configure attack mitigation features from within the same space.
 
 ## Real-time monitoring
@@ -27,13 +27,11 @@ Security Center provides you with an overview of your tenant’s security pulse
 
 Security Center allows you to filter available data to your needs.
 
-You can filter data based on a time period, including:
+You can filter data based on the following fields:
 
-* Last hour
-* Last 12 hours
-* Last day
-* Last 7 days
-* Last 14 days
+* Time period (up to the last 14 days)
+* Applications
+* Connections
 
 Depending on the time period you select, the data is automatically aggregated per minute, per hour, or per day.
 
@@ -73,46 +71,38 @@ We will identify patterns that are usually an indicator of known attack types an
 
 </Callout>
 
+<Frame>![Screenshot shows multiple line graphs for the Security Center Threat Protection tab.](/docs/images/cdy7uua7fh8z/Threat_Monitoring/Threat_Monitoring.png)</Frame>
+
 #### Bot detection
 
 <Tooltip tip="Bot Detection: Form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process." cta="View Glossary" href="/docs/glossary?term=Bot+detection">Bot detection</Tooltip> mitigates scripted attacks by detecting when a request is likely to be coming from a bot. Bot detection includes the number of bots detected over the last seven days.
 
-<Frame>![Screenshot shows a line graph detailing number of bots detected in the last 7 days.](/docs/images/cdy7uua7fh8z/vfXBOFaB8fprq7rbr1vPG/0676832da280a528326b44f97624e8ff/Bot_Detection.png)</Frame>
-
 To learn more about this feature, read [Bot Detection](/docs/secure/attack-protection/bot-detection).
 
 #### Suspicious IP throttling
 
 <Tooltip tip="Suspicious IP Throttling: Form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address." cta="View Glossary" href="/docs/glossary?term=Suspicious+IP+throttling">Suspicious IP throttling</Tooltip> blocks traffic from any IP address that rapidly attempts too many logins or signups. Suspicious IP throttling includes the number of suspicious IPs blocked over the last seven days.
 
-<Frame>![Screenshot shows a line graph detailing number of suspicious IP activities detected in the last 7 days.](/docs/images/cdy7uua7fh8z/4q2Gso3wAbdAMM9YCUSxTk/23026864247740c4530668a8c4d21665/Suspicious_IP_Throttling.png)</Frame>
-
 To learn more about this feature, read [Suspicious IP Throttling](/docs/secure/attack-protection/suspicious-ip-throttling).
 
 #### Brute-force protection
 
 <Tooltip tip="Brute-force Protection: Form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account." cta="View Glossary" href="/docs/glossary?term=Brute-force+protection">Brute-force protection</Tooltip> safeguards against a single IP address attacking a single user account. Brute-force protection includes the number of blocked brute-force attempts over the last seven days.
 
-<Frame>![Screenshot shows a line graph detailing number of brute-force attempts blocked in the last 7 days.](/docs/images/cdy7uua7fh8z/2nDIp8GDPe2zhhzcdDPKue/a49e729930a01e21800856768440faab/Brute-Force_Protection.png)</Frame>
-
 To learn more about this feature, read [Brute-Force Protection](/docs/secure/attack-protection/brute-force-protection).
 
 #### Breached password detection
 
 <Tooltip tip="Breached Password Detection: Form of attack protection in which Auth0 notifies your users if they use a username/password combination that has been compromised in a data leak on a third-party website or app." cta="View Glossary" href="/docs/glossary?term=Breached+password+detection">Breached password detection</Tooltip> protects your applications from <Tooltip tip="Breached Password Detection: Form of attack protection in which Auth0 notifies your users if they use a username/password combination that has been compromised in a data leak on a third-party website or app." cta="View Glossary" href="/docs/glossary?term=bad+actors">bad actors</Tooltip> signing up or logging in with stolen credentials. Breached password detection includes the number of breached credentials detected in login and signup flows over the last seven days.
 
-<Frame>![Screenshot shows line graph detailing number of breached credentials detected in the last 7 days. Separate lines are shown for login flows and signup flows.](/docs/images/cdy7uua7fh8z/6DxOEJdBbE6flhk6S0apkx/f0ba51ef05a1717db67aa055299f0d08/Breached_Password_Detection.png)</Frame>
-
 To learn more about this feature, read [Breached Password Detection](/docs/secure/attack-protection/breached-password-detection).
 
 #### Multi-factor authentication
 
 Multi-factor authentication (MFA) verifies users by requiring more than one type of user validation. MFA includes the number of MFA challenges detected and the number of MFA challenges passed or failed over the last seven days.
 
-<Frame>![Screenshot shows two line graphs. One shows the number of MFA challenges in the last 7 days. The other shows the MFA success rate over the last 7 days. Separate lines are shown for MFA passed and MFA failed.](/docs/images/cdy7uua7fh8z/2qqYETiIMP2o0XOciJSS1b/b7b4a61563620aad422a2048e8eb08d4/Multi-Factor_Auth.png)</Frame>
-
 To learn more about this feature, read [Multi-Factor Authentication](/docs/secure/multi-factor-authentication).
 
 ## Learn more
 
-* [Metrics](/docs/secure/security-center/metrics)
+* [Metrics](/docs/secure/security-center/metrics)
diff --git a/main/docs/secure/security-center/metrics.mdx b/main/docs/secure/security-center/metrics.mdx
@@ -10,56 +10,14 @@ title: Metrics
   that are usually an indicator of known attack types.
 'twitter:title': Metrics
 ---
-Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: normal traffic, credential stuffing threats, signup attack threats, and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> bypass threats.
+Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: credential stuffing threats, signup attack threats, and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> bypass threats.
 
 <Warning>
 
 Classification of event type codes may change. Avoid implementing solutions dependent on the current log event code definitions.
 
 </Warning>
 
-## Normal traffic
-
-We use normal traffic to establish a benchmark against different threat types we may observe. Normal traffic includes all successful and failed events for a given hour, which includes the following event codes:
-
-<table class="table"><thead>
-<tr>
-<th>Event code</th>
-<th>Event</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><code>s</code></td>
-<td>Successful login</td>
-</tr>
-<tr>
-<td><code>ss</code></td>
-<td>Successful signup</td>
-</tr>
-<tr>
-<td><code>sepft</code></td>
-<td>Successful exchange of password for access token</td>
-</tr>
-<tr>
-<td><code>f</code></td>
-<td>Failed user login</td>
-</tr>
-<tr>
-<td><code>fu</code></td>
-<td>Failed user login due to invalid username</td>
-</tr>
-<tr>
-<td><code>fp</code></td>
-<td>Failed user login due to invalid password</td>
-</tr>
-<tr>
-<td><code>pwd_leak</code></td>
-<td>Attempted login with a leaked password</td>
-</tr>
-</tbody>
-</table>
-
 ## Credential stuffing
 
 We identify credential stuffing threats within a single hour with the following event codes:
@@ -172,4 +130,4 @@ We identify MFA bypass threats within a single hour with the following event cod
 <td>WebAuthn browser failure</td>
 </tr>
 </tbody>
-</table>
+</table>
diff --git a/main/docs/secure/security-center/security-alerts.mdx b/main/docs/secure/security-center/security-alerts.mdx
@@ -38,6 +38,12 @@ title: Configure Security Monitoring Alerts
 
 Thresholds are calculated on a weighted moving average for a given metric and are customizable in your <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>. Each defined threshold is viewable on your threat monitor metric charts and aggregated on an hourly basis; if no recovery threshold is configured, the recovery default to just below the set warning or alert threshold.
 
+<Warning>
+
+Thresholds apply to the original metric without filters. When filters are applied, the original threshold and filtered trend lines are visible.
+
+</Warning>
+
 <Frame>![A second screenshot of our Security Center Thresholds product](/docs/images/cdy7uua7fh8z/1Kd9d33WUCdlVa1SwEFkKQ/496722ce86bc00cc7f58d1e04e1fd006/MFA_success_rate_threshold_editor_-_english.png)</Frame>
 
 1. Go to [**Security > Security Center > Threat Monitoring**](https://manage.auth0.com/#/security/center/bot-detection) and choose a metric chart.
@@ -57,8 +63,6 @@ Thresholds are calculated on a weighted moving average for a given metric and ar
 
 Thresholds can also be updated or removed in the expand view screen. Different thresholds on the same chart are behind the Threshold label carrot at the top right.
 
-<Frame>![A third screenshot of our Thresholds product ](/docs/images/cdy7uua7fh8z/2E22W6hrzfVAxF0h3H1eR8/cc3afd4e99933f5948461395442bb553/MFA_success_rate_threshold_picker_-_English.png)</Frame>
-
 #### Manage notification destinations
 
 Notification destinations are endpoints to which alert, warning, and recovery notices are delivered. Each tenant is limited to two destination endpoints, and a third-party webhook editor is recommended to personalize the notification's message.