Detection IDs
Detection IDs are static rules used to detect predictable bot behavior with no overlap with human traffic. Detection IDs cause a bot to receive a score source of heuristics with a score of 1. For example, a detection ID can identify if you sent your headers in a different order than what was expected of your browser.
If you are having an issue with one of our heuristics, detection IDs allow you to decide which heuristics to enforce on your zones using customer configurable heuristics. You can choose unique actions for different bots, detected through Cloudflare’s heuristics engine. You can block, allow, or serve alternate content to specific bots to meet the unique needs of your site’s traffic.
You can use cf.bot_management.detection_ids
fields in tools such as:
- Custom rules
- Advanced Rate Limiting
- Transform Rules
- Workers (as
request.cf.botManagement.detectionIds
)
Bot Detection IDs and tags are also available in Bot Analytics and Security Analytics.
Detection tags refer to the category associated with the detection ID at the time that Cloudflare has fingerprinted a bot. For example, if a detection tag is go
, this means that Cloudflare has observed traffic from that detection ID from a Go programming language bot.
You can create or edit their existing Logpush jobs to include the new Bot Detection IDs field which will provide an array of IDs for each request that has heuristics match on it. The BotDetectionIDs
field is available as part of the HTTP Requests dataset and you can add it to new or existing jobs via the Logpush API or on the Cloudflare dashboard. This is the primary method to discover Detection IDs.
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Analytics & Logs > Logs.
- Select Add Logpush Job.
- Select HTTP Requests as the dataset.
- Select BotDetectionIDs under the General data field category.
- Select and enter the destination information.
- Prove the ownership.
- Select Save.
Update your logpush job by adding BotDetectionIDs
to the output_options:
parameters.
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Security > Bots, apply filters and select Create custom rule to create a custom rule based on those filters.
- Alternatively, if you already created a custom rule, go to Security > WAF > Custom rules and edit the expression of an existing custom rule.
- Use the
cf.bot_management.detection_ids
field in the rule expression. - Select Save.
Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using custom rules, rate limiting rules, and Workers.
Detection ID | Description |
---|---|
201326592 | Observes all login failures to the zone. |
201326593 | Observes all login traffic to the zone. |
Cloudflare's Managed Challenge can limit brute-force attacks on your login endpoints.
To access account takeover detections:
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to Security > WAF.
- Under Custom Rules, select Create rule.
- Fill out the form using Bot Detection IDs along with other necessary information.
- Select Save as draft to return to it later, or Deploy to deploy the rule.
Rate limiting rules can limit the number of logins from a particular IP, JA4 Fingerprint, or country.
To use rate limiting rules with account takeover detections:
- Log in to the Cloudflare dashboard ↗ and select your account and domain.
- Go to *Security > WAF.
- Under Rate limiting rules, select Create rule.
- Fill out the form using the Custom expression builder and
cf.bot_management_detection_ids
along with other necessary information. - Select Save as draft to return to it later, or Deploy to deploy the rule.