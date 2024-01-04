Rate limit suspicious logins with leaked credentials

Note Access to the cf.waf.credential_check.username_and_password_leaked field requires a Pro plan or above.

Create a rate limiting rule using account takeover (ATO) detection and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries.

The following example rule applies rate limiting to requests with a specific ATO detection ID (corresponding to Observes all login traffic to the zone ) that contain a previously leaked username and password:

When incoming requests match:

(any(cf.bot_management.detection_ids[*] eq 201326593 and cf.waf.credential_check.username_and_password_leaked)) With the same characteristics: IP When rate exceeds: Requests : 5

: Period: 1 minute

Challenge requests containing leaked credentials

Note Access to the User and Password Leaked ( cf.waf.credential_check.username_and_password_leaked ) field requires a Pro plan or above.

Create a custom rule that challenges requests containing a previously leaked set of credentials (username and password).