> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Playbook for using Auth0's Bot Detection monitoring feature in the Security Center
# Bot Detection Playbook
You must enable [Bot Detection](/docs/secure/attack-protection/bot-detection) and configure a [CAPTCHA provider](/docs/secure/attack-protection/bot-detection/configure-captcha).
Auth0's [Bot Detection monitoring feature](/docs/secure/security-center#bot-detection) is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.
#### Find log events of interest
When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable [log streaming](/docs/customize/log-streams) and connect it to the external tool of your choice.
The following [log event types](/docs/deploy-monitor/logs/log-event-type-codes) are relevant when investigating an uptick in bot activity.
| Log Event Type | Description |
| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `pla` | Generated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots. |
| `fu` | Failed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts. |
| `fp` | Failed user login events due to invalid password, which can indicate attempted credential stuffing attacks. |
| `pwd_leak` | Attempted login events with a leaked password, which can indicate attempted credential stuffing attacks. |
| `limit_wc` | IP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot. |
| `limit_sul` | User block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity. |
| `limit_mu` | IP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity. |
| `fcoa` | Failed cross-origin authentication events, which indicates attackers using automation to perform account takeovers. |
| `scoa` | Successful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users. |
#### Attack response
While setting the Bot Detection level to High immediately mitigates the attack, a comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:
* **User friction**: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
* **Technical capacity**: assess your ability to implement IP blocking, WAF rules, and MFA enforcement.
Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection.
#### Mitigation strategies
For optimal protection from attacks, consider the following strategies:
* Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
* Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another [supported provider](/docs/secure/attack-protection/bot-detection/configure-captcha).
* If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
* Change your web application firewall rules with an edge provider or use [tenant access control lists](/docs/secure/tenant-access-control-list) to block abusive IPs, autonomous system numbers, geographic locations, [TLS clients](/docs/customize/custom-domains/self-managed-certificates/tls-ssl), or HTTP header elements like `user-agent` strings, and consider employing a [reverse proxy.](/docs/customize/custom-domains/self-managed-certificates#configure-reverse-proxy)
* Tighten [Brute Force](/docs/secure/attack-protection/brute-force-protection) and [Suspicious IP](/docs/secure/attack-protection/suspicious-ip-throttling) thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the [Brute Force playbook](/docs/secure/attack-protection/playbooks/brute-force-protection-playbook).
* Disable unused endpoints by modifying your [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication) settings. If you suspect breached password attacks, read the [Breached Password playbook](/docs/secure/attack-protection/playbooks/breached-password-playbook).
* Enforce [step-up MFA](/docs/secure/multi-factor-authentication/step-up-authentication) for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
* Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.