> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-fix-docs-5525.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Bot Detection Playbook

> Playbook for using Auth0's Bot Detection monitoring feature in the Security Center

<Card title="Avant de commencer">
  You must enable [Bot Detection](/docs/fr-ca/secure/attack-protection/bot-detection) and configure a [CAPTCHA provider](/docs/fr-ca/secure/attack-protection/bot-detection/configure-captcha).
</Card>

Auth0's [Bot Detection monitoring feature](/docs/fr-ca/secure/security-center#bot-detection) is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.

#### Find log events of interest

When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable [log streaming](/docs/fr-ca/customize/log-streams) and connect it to the external tool of your choice.

The following [log event types](/docs/fr-ca/deploy-monitor/logs/log-event-type-codes) are relevant when investigating an uptick in bot activity.

| Log Event Type | Description                                                                                                                                                                                        |
| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `pla`          | Generated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots.                                                        |
| `fu`           | Failed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts.                                                                  |
| `fp`           | Failed user login events due to invalid password, which can indicate attempted credential stuffing attacks.                                                                                        |
| `pwd_leak`     | Attempted login events with a leaked password, which can indicate attempted credential stuffing attacks.                                                                                           |
| `limit_wc`     | IP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot.                                                                    |
| `limit_sul`    | User block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity.                                                                                 |
| `limit_mu`     | IP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity.                                                               |
| `fcoa`         | Failed cross-origin authentication events, which indicates attackers using automation to perform account takeovers.                                                                                |
| `scoa`         | Successful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users. |

#### Attack response

While setting the <Tooltip href="/docs/fr-ca/glossary?term=bot-detection" tip="Détection de robots
Forme de protection contre les attaques par laquelle Auth0 bloque le trafic suspecté d’être le fait de robots en activant un CAPTCHA pendant le processus de connexion." cta="Voir le glossaire">Bot Detection</Tooltip> level to High immediately mitigates the attack, a comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:

* **User friction:** evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
* **Technical capacity**: assess your ability to implement IP blocking, WAF rules, and <Tooltip href="/docs/fr-ca/glossary?term=multifactor-authentication" tip="Authentification multifacteur (MFA)
  Processus d’authentification de l’utilisateur qui utilise un facteur en plus du nom d’utilisateur et du mot de passe, tel qu’un code par SMS." cta="Voir le glossaire">MFA</Tooltip> enforcement.

Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection.

#### Mitigation strategies

For optimal protection from attacks, consider the following strategies:

* Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
* Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another [supported provider](/docs/fr-ca/secure/attack-protection/bot-detection/configure-captcha).
* If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
* Change your web application firewall rules with an edge provider or use [tenant access control lists](/docs/fr-ca/secure/tenant-access-control-list) to block abusive IPs, autonomous system numbers, geographic locations, [TLS clients](/docs/fr-ca/customize/custom-domains/self-managed-certificates/tls-ssl), or HTTP header elements like `user-agent` strings, and consider employing a [reverse proxy.](/docs/fr-ca/customize/custom-domains/self-managed-certificates#configure-reverse-proxy)
* Tighten [Brute Force](/docs/fr-ca/secure/attack-protection/brute-force-protection) and [Suspicious IP](/docs/fr-ca/secure/attack-protection/suspicious-ip-throttling) thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the [Brute Force playbook](/docs/fr-ca/secure/attack-protection/playbooks/brute-force-protection-playbook).
* Disable unused endpoints by modifying your [Cross-Origin Authentication](/docs/fr-ca/authenticate/login/cross-origin-authentication) settings. If you suspect breached password attacks, read the [Breached Password playbook](/docs/fr-ca/secure/attack-protection/playbooks/breached-password-playbook).
* Enforce [step-up MFA](/docs/fr-ca/secure/multi-factor-authentication/step-up-authentication) for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
* Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.
