[Use Cases] Replace unverified user_agent expressions with source-verified fields (cf.client.bot, method, path)

codyanthony850 · codyanthony850 · commit d977bab3b7fd · 2026-04-09T16:53:14.000-05:00
diff --git a/src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx b/src/content/docs/use-cases/application-security/bots/stop-malicious-bots.mdx
@@ -217,7 +217,7 @@ This ensures verified bots (search engine crawlers, monitoring services) bypass
 
 1. Select **Create rule**.
 2. Enter a descriptive name in **Rule name**.
-3. Under **When incoming requests match**, select **Edit expression** and enter: `(http.request.uri.path eq "/login" and http.user_agent eq "")`
+3. Under **When incoming requests match**, select **Edit expression** and enter: `(http.request.uri.path eq "/login" and http.request.method eq "POST")`
 4. Under **Then take action**, select _Managed Challenge_ from the **Choose action** dropdown.
 5. Under **Place at**, leave the **Select order** dropdown set to _Last_. This places the rule after the verified bot exception.
 6. Select **Deploy**.
@@ -317,15 +317,15 @@ For details on Skip action configuration, refer to [Configure a rule with the Sk
 
 **Scenario 2: Malicious traffic is still getting through.**
 
-You see bot activity in Security Events that your current rules do not catch. Bots that use real-looking headers or stay under rate limits can evade single-signal rules. Combining multiple signals in one rule narrows the target. For example, to challenge requests to `/login` that have both an empty user agent and a specific URI path:
+You see bot activity in Security Events that your current rules do not catch. Bots that stay under rate limits or evade single-signal rules require combining multiple signals. For example, to challenge POST requests to `/login` that are not from verified bots:
 
 1. Go to Application Security custom rules.
 2. Select **Create rule**.
 3. Enter a descriptive name.
 4. Under **When incoming requests match**, select **Edit expression** and enter:
 
    ```txt
-   (http.request.uri.path eq "/login" and http.user_agent eq "" and http.request.method eq "POST")
+   (http.request.uri.path eq "/login" and http.request.method eq "POST" and not cf.client.bot)
    ```
 
 5. Under **Then take action**, select _Managed Challenge_.
