Skip to content

Commit 39ad469

Browse files
patriciasantaanapatriciasantaana
committed
detection ids
1 parent d3581f1 commit 39ad469

File tree

5 files changed

+218
-191
lines changed

5 files changed

+218
-191
lines changed

src/content/docs/bots/additional-configurations/detection-ids.mdx

Lines changed: 0 additions & 191 deletions
This file was deleted.

src/content/docs/bots/additional-configurations/detection-ids/account-takeover-detections.mdx

Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
---
2+
pcx_content_type: concept
3+
title: Account takeover detections
4+
sidebar:
5+
order: 3
6+
---
7+
8+
import { Render, Tabs, TabItem, Steps } from "~/components"
9+
10+
11+
Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and [Workers](/workers/).
12+
13+
| Detection ID | Description |
14+
| ------------ | ---------------------------------------- |
15+
| `201326592` | Observes all login failures to the zone. |
16+
| `201326593` | Observes all login traffic to the zone. |
17+
| `201326598` | Sets a dynamic threshold based on the normal traffic that is unique to the zone.<br /><br /> When the ID matches a login failure, Bot Management sets the [bot score](/bots/concepts/bot-score/) to 29 and uses [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. |
18+
19+
### Challenges for account takeover detections
20+
21+
Cloudflare's [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) can limit brute-force attacks on your login endpoints.
22+
23+
To access account takeover detections:
24+
25+
<Tabs syncKey="dashNewNav">
26+
<TabItem label="Old dashboard">
27+
<Steps>
28+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
29+
2. Go to **Security** > **WAF**.
30+
3. Under **Custom Rules**, select **Create rule**.
31+
4. Fill out the form using **Bot Detection IDs** along with other necessary information.
32+
5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule.
33+
</Steps>
34+
</TabItem>
35+
<TabItem label="New dashboard" icon="rocket">
36+
<Steps>
37+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
38+
2. Go to **Security** > **Security rules**.
39+
3. Select **Create rule** and choose **Custom rule**.
40+
4. Fill out the form using **Bot Detection IDs** along with other necessary information.
41+
5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule.
42+
</Steps>
43+
</TabItem>
44+
</Tabs>
45+
46+
```js title="Rule example"
47+
48+
(any(cf.bot_management.detection_ids[*] eq 201326593))
49+
```
50+
51+
### Limit logins with account takeover detections
52+
53+
Rate limiting rules can limit the number of logins from a particular IP, JA4 Fingerprint, or country.
54+
55+
To use rate limiting rules with account takeover detections:
56+
57+
<Tabs syncKey="dashNewNav">
58+
<TabItem label="Old dashboard">
59+
<Steps>
60+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
61+
2. Go to **Security** > **WAF**.
62+
3. Under **Rate limiting rules**, select **Create rule**.
63+
4. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information.
64+
5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule.
65+
</Steps>
66+
</TabItem>
67+
<TabItem label="New dashboard" icon="rocket">
68+
<Steps>
69+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain.
70+
2. Go to **Security** > **Security rules**.
71+
3. Select **Create rule** and choose **Rate limiting rule**.
72+
4. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information.
73+
5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule.
74+
</Steps>
75+
</TabItem>
76+
</Tabs>
77+
78+
:::note
79+
The rule can be enhanced with Leaked Credential Checks. Refer to the [WAF documentation](/waf/detections/leaked-credentials/) for more information on how to include leaked credentials and account takeover detections in a rate limiting rule.
80+
81+
:::

src/content/docs/bots/additional-configurations/detection-ids/additional-detections.mdx

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
---
2+
pcx_content_type: concept
3+
title: Additional detections
4+
sidebar:
5+
order: 4
6+
---
7+
8+
9+
| Detection ID | Description |
10+
| ------------ | ---------------------------------------- |
11+
| `50331651` | Observes traffic from residential proxy networks and similar commercial proxies. <br /><br />When the ID matches a request, Bot Management sets the bot score to 29 and uses [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. |

0 commit comments

Comments
 (0)