Identify and investigate attacks

This document explains how to use the Attacks and Investigations feature to identify and investigate security threats such as credential stuffing.

reCAPTCHA detects attacks and displays them on the Attacks page in the Google Cloud console. You can view a list of potential attacks and drill down into investigation details to understand the scope and impact of an attack.

Overview

The Attacks and Investigations feature helps you identify attacks targeting your sites. reCAPTCHA analyzes your traffic to identify patterns of abuse. reCAPTCHA detects abnormal behavior and flags it as a potential attack.

Supported attack types

Attacks are categorized by type. Understanding the attack type can help you tailor your investigation. The following attack types are supported:

Credential Stuffing: This type of attack uses lists of stolen usernames and passwords to attempt to gain unauthorized access to user accounts.

View and investigate attacks

To view a list of detected attacks, go to the Attacks page in the Google Cloud console.

The Attacks page lists detected attacks along with key information to help you identify and prioritize threats. Clicking on an attack opens the Attack details page, which provides a comprehensive investigation view.

To understand an attack's scope, start by assessing its impact. The information in the Attack details page helps you understand the scale of the incident so you can prioritize which investigations require immediate attention.

Analyze traffic patterns

Use the event timeline to help you visualize the attack lifecycle. Look for spikes in Fraudulent activity to identify when the attack was most aggressive. If available, review Potentially Legitimate events. These requests appear legitimate but share patterns with the detected attack, which can indicate sophisticated bot behavior or a compromised network.

Identify and block threats

To stop the attack and prevent future ones, you need to identify its characteristics and origin. The detailed event list lets you inspect individual requests for commonalities. Look for patterns in the following data within the events:

• Site reported user IP: Check if attacks are originating from a specific subnet.
• Site reported user agent: Identify specific browser versions or bot signatures.
• Account defense label: Look for signs of suspicious login activity or account takeovers.
• Score: Review how reCAPTCHA is scoring these specific requests.

Use these insights to configure your firewall rules or adjust your reCAPTCHA security policies.

Manage investigation status

You can track the progress of your investigations by updating the status. To change the status, click Set status on the Attack details page and select the appropriate status:

• New: The default status for a newly detected attack.
• Active: Indicates that the investigation is in progress.
• Closed: Indicates that you finished investigating the attack. If new suspicious events are detected later, the status automatically changes from Closed to Active.

What's next

• Learn about the user accounts protection features of reCAPTCHA.