> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the tenant log events we use to identify patterns that are usually an indicator of known attack types.

# Metrics

Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: credential stuffing threats, signup attack threats, and <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> bypass threats.

<Warning>
  Classification of event type codes may change. Avoid implementing solutions dependent on the current log event code definitions.
</Warning>

## Credential stuffing

We identify credential stuffing threats within a single hour with the following event codes:

| Event code  | Event                                                            |
| ----------- | ---------------------------------------------------------------- |
| `f`         | Failed user login                                                |
| `fu`        | Failed user login due to invalid username                        |
| `fp`        | Failed user login due to invalid password                        |
| `pwd_leak`  | Attempted login with a leaked password                           |
| `limit_wc`  | IP blocked for >10 failed login attempts to a single account     |
| `limit_sul` | User blocked for >20 login per minute from the same IP address   |
| `limit_mu`  | IP blocked for >100 failed login attempts or >50 signup attempts |

## Signup attack

We identify signup attack threats within a single hour with the following event codes:

| Event code | Event         |
| ---------- | ------------- |
| `fs`       | Failed signup |

## MFA bypass

We identify MFA bypass threats within a single hour with the following event codes:

| Event code                      | Event                                |
| ------------------------------- | ------------------------------------ |
| `gd_send_email`                 | Sent email                           |
| `gd_send_pn`                    | Sent push notification               |
| `gd_send_sms`                   | Sent SMS                             |
| `gd_send_voice`                 | Sent voice call                      |
| `gd_auth_failed`                | Failed OTP authentication            |
| `gd_auth_rejected`              | Rejected OTP authentication          |
| `gd_otp_rate_limit_exceed`      | Too many OTP authentication failures |
| `gd_recovery_failed`            | Failed recovery                      |
| `gd_recovery_rate_limit_exceed` | Too many recovery failures           |
| `gd_webauthn_challenge_failed`. | WebAuthn browser failure             |