You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/bots/additional-configurations/detection-ids.mdx
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,6 +25,8 @@ You can use `cf.bot_management.detection_ids` fields in tools such as:
25
25
26
26
Bot Detection IDs and tags are also available in [Bot Analytics](/bots/bot-analytics/) and [Security Analytics](/waf/analytics/security-analytics/).
27
27
28
+
---
29
+
28
30
## Detection tags
29
31
30
32
Detection tags refer to the category associated with the detection ID at the time that Cloudflare has fingerprinted a bot. For example, if a detection tag is `go`, this means that Cloudflare has observed traffic from that detection ID from a Go programming language bot.
@@ -34,6 +36,8 @@ Detection tags refer to the category associated with the detection ID at the tim
34
36
Detection tags are available in Security Analytics, but not in the Security Events.
35
37
:::
36
38
39
+
---
40
+
37
41
## Bot Detection IDs via Logpush
38
42
39
43
You can create or edit existing Logpush jobs to include the new Bot Detection IDs field which will provide an array of IDs for each request that has heuristics match on it. The `BotDetectionIDs` field is available as part of the HTTP Requests dataset and you can add it to new or existing jobs via the Logpush API or on the Cloudflare dashboard. This is the primary method to discover Detection IDs.
@@ -77,6 +81,7 @@ You can create or edit existing Logpush jobs to include the new Bot Detection ID
77
81
</TabItem>
78
82
</Tabs>
79
83
84
+
---
80
85
81
86
## Use cases
82
87
@@ -99,6 +104,8 @@ and http.request.method eq "POST"
99
104
and not any(cf.bot_management.detection_ids[*] in {335544612577893})
100
105
```
101
106
107
+
---
108
+
102
109
## Account takeover detections
103
110
104
111
Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and [Workers](/workers/).
@@ -107,7 +114,7 @@ Using the detection IDs below, you can detect and mitigate account takeover atta
|`201326592`| Observes all login failures to the zone. |
109
116
|`201326593`| Observes all login traffic to the zone. |
110
-
|`201326598`| Sets a dynamic threshold based on the normal traffic that is unique to the zone.<br /><br /> When the ID matches a login failure, Bot Management sets the [bot score](/bots/concepts/bot-score/) to 2 and [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. |
117
+
|`201326598`| Sets a dynamic threshold based on the normal traffic that is unique to the zone.<br /><br /> When the ID matches a login failure, Bot Management sets the [bot score](/bots/concepts/bot-score/) to 29 and [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. |
111
118
112
119
### Challenges for account takeover detections
113
120
@@ -173,6 +180,12 @@ The rule can be enhanced with Leaked Credential Checks. Refer to the [WAF docume
|`50331651`| Observes traffic from residential proxy networks and similar commercial proxies. <br /><br />When the ID matches a request, Bot Management sets the bot score to 29 and anomaly detection as its score source. |
188
+
176
189
## Availability
177
190
178
191
Detection IDs are available for Enterprise Bot Management customers.
0 commit comments