Suspicious Activity Overview

Fullstory automatically detects suspicious activity in your sessions—from injection attacks and credential abuse to bot automation and AI-driven traffic. These signals help your team identify potential threats, filter out non-human traffic, and focus on real user experiences.

Finding Suspicious Activity in Fullstory

You can search for suspicious activity events using the following approaches:

• Suspicious Activity [any]: Returns all sessions containing any suspicious activity signal. This is a very broad search, and we recommend looking at specific pages or URLs if using this method.
• Suspicious Activity is [category]: Filter by a specific detection signal (e.g., SQL Injection, Headless Browser, AI Agent). Use the is or is not operators to include or exclude specific categories.
• Suspicious Activity [any] when the Type is [type]: Filter by a specific detection type (e.g., AI, Automation, Content). Use the is or is not operators to include or exclude specific types.

Signal Types

Suspicious Activity signals are organized into five high-level types, each containing specific detection categories.

AI Signals

AI signals identify traffic from AI-powered crawlers, assistants, and agents by matching User-Agent strings and IP addresses against a registry of known bot signatures.

AI Crawler

Detects AI crawler bots that collect training data or index web content. Examples include GPTBot and OAI-SearchBot (OpenAI), ClaudeBot (Anthropic), Google-Extended (Google), Bytespider (ByteDance), DeepSeekBot (DeepSeek), and PerplexityBot (Perplexity AI).

AI Assistant

Detects AI assistants that browse the web on behalf of a user during a chat session. Examples include ChatGPT-User (OpenAI), Claude-User (Anthropic), Gemini-Deep-Research (Google), Perplexity-User (Perplexity AI), and DuckAssistBot (DuckDuckGo).

AI Agent

Detects autonomous AI agents that browse websites, fill forms, and complete tasks without direct human control. Examples include AmazonBuyForMe and NovaAct (Amazon), Claude-Web (Anthropic), GoogleAgent-Mariner (Google), and Manus-User (Manus AI).

AI Vendor

Detects traffic originating from known AI vendor IP address ranges. Unlike the AI Crawler, AI Assistant, and AI Agent signals—which identify specific bots by User-Agent string—this signal works at the network level, matching the session's IP address against published IP ranges for OpenAI, Google, Microsoft, Perplexity AI, and Apple. It fires once per session on the first page navigation and can co-occur with other AI signals on the same session.

This signal requires that the Discard user IP addresses setting is off. Like the Cloud Network signal, it may fire in legitimate scenarios—for example, if a user accesses your site through an AI company's infrastructure as part of normal browsing.

Automation Signals

Automation signals identify potential bot behavior by analyzing session data like pointer movement and browser environments, flagging irregularities that are difficult to detect with standard search criteria.

No Pointer Movement

Detects sessions where no mouse movement occurs throughout a page visit, despite other interactions (clicks, form input, etc.) being present. Automated scripts and bots typically perform actions without moving a pointer. Only fires on pages visited for at least 5 seconds to avoid false positives on quick bounces. While touch events on mobile and tablet devices do register as pointer movement, this signal is primarily relevant for desktop sessions.

No Pointer Curve

Detects sessions where mouse movement exists but consists only of straight-line, point-to-point jumps with no natural curved motion. Humans move mice in smooth arcs; bots and automation tools may move the cursor directly between coordinates. This signal is desktop only; mobile and tablet devices do not generate curve data and are excluded from this detection. Similar to No Pointer Movement, user interactions must also be present on the page to avoid firing on completely idle sessions.

No User Activity

Detects page visits with no user interaction—no clicks, form changes, or other user-initiated events. This typically indicates crawlers or bots that load a page, read content, and leave without interacting. The signal only fires on pages visited for at least 2 seconds to filter out redirects and very brief navigations.

Full Page Resize

Detects when the browser viewport is resized to match the full document height—a technique commonly used by bots and scraping tools to capture full-page screenshots. The detector looks for dramatic viewport growth (at least 3x the previous size) that closely matches the document dimensions. Very tall, narrow aspect ratios (height-to-width ratio above 3:1) are treated as suspicious even without a prior viewport size.

Headless Browser

Detects headless browser environments through three independent indicators:

1. Zero screen or viewport dimensions (0x0 pixels)—characteristic of headless mode.
2. "Headless" keyword in User-Agent—many headless browsers self-identify (e.g., "HeadlessChrome").
3. Known automation tool signatures—matches against recognized tools including PhantomJS, Puppeteer, Selenium, Playwright, Cypress, and others.

The signal fires when one or more of these indicators are present. This signal is web only and does not apply to mobile app sessions.

Content Signals

Content signals analyze form input patterns and data entry behaviors to detect suspicious intent, such as credential stuffing or the use of disposable email addresses.

Credential Pair

Detects credential stuffing patterns where an email and password are pasted together into a single input field. Fullstory looks for email:password formatted text (e.g., user@example.com:secretpass) entered via form fields—a common pattern when attackers use stolen credential lists. The password portion must be at least 4 characters long to reduce false positives from incidental colon usage.

Disposable Email

Detects email addresses entered in form fields that belong to known disposable or temporary email services (e.g., Mailinator, Guerrilla Mail, Tempmail). Fullstory maintains a blocklist sourced from community-maintained disposable email domain databases.

This signal is commonly associated with fake account creation, trial abuse, or fraudulent signups. Popular email providers (Gmail, Yahoo, Outlook, Hotmail, iCloud, etc.) are explicitly excluded. If a user corrects a typo from a disposable domain to a legitimate domain (e.g., typing "gmai.com" then correcting to "gmail.com"), the signal is suppressed.

Multiple Emails

Detects sessions where multiple distinct email addresses are entered and submitted through forms, which may indicate credential stuffing or account enumeration. The signal fires when 2 or more distinct emails are submitted on the same page. When all emails share the same domain (common on shared or kiosk computers), the threshold is raised to 5 distinct emails before flagging. Minor typo corrections (e.g., fixing a misspelled email) are deduplicated and do not count as separate entries.

Network Signals

Network signals identify session origins by analyzing IP addresses to detect traffic from cloud infrastructure or privacy networks.

Cloud Network

Detects page requests originating from known cloud provider IP address ranges. Legitimate user traffic usually has residential origins rather than cloud data centers—this pattern typically indicates bot infrastructure, scraping operations, or automated testing.

Detected cloud providers include:

• Google Cloud Platform (GCP)
• Amazon Web Services (AWS)
• Microsoft Azure
• Oracle Cloud
• IBM Cloud
• DigitalOcean

This signal fires once per session on the entry page only. It relies on IP-based classification, and the Discard user IP addresses setting must be off.

Consumer Private Network

Detects page requests originating from consumer privacy-preserving network services, such as Apple Private Relay. While not inherently malicious, traffic from these services obscures the visitor's true IP address, which may be relevant when investigating other suspicious signals.

This signal fires once per session on the entry page only. Consumer privacy networks are used by legitimate users for privacy, so this signal should be interpreted in context with other indicators.

Security Signals

Security signals identify malicious input patterns and potential vulnerabilities within your forms and URLs. Fullstory uses pattern matching to detect common injection attack vectors, such as SQL or XSS, that may be used to compromise your application.

SQL Injection

Detects SQL injection attempts in form inputs and URLs. Fullstory uses pattern matching to identify common SQL attack syntax—such as UNION SELECT, OR 1=1, and comment-based injection—entered into text fields or appended to page URLs.

SQL injection is a well-documented attack vector where malicious input can read sensitive data from a database, modify data, or execute administrative operations. For more information, see the OWASP SQL Injection page.

XSS Injection

Detects cross-site scripting (XSS) attempts in form inputs and URLs. Fullstory identifies patterns such as <script> tags, JavaScript event handlers, and javascript: protocol URLs entered into text fields or embedded in navigation URLs.

XSS attacks inject malicious scripts that execute in other users' browsers, potentially accessing cookies, tokens, or other sensitive information. For more information, see the OWASP XSS page.

Frequently Asked Questions

Why am I not seeing any suspicious activity results?

This is likely a good sign—it means Fullstory has not detected any of these patterns in your sessions. It does not guarantee the absence of all suspicious activity, only that none of the monitored patterns were observed. Content signals may rely on text that is masked, limiting their capability. Similarly, discarded IP addresses will prevent Network signals from detecting.

Why am I seeing false positives?

Some signals may fire in expected scenarios:

• SQL/XSS Injection: On sites that accept code input (code editors, CMS platforms).
• Disposable Email: If your user base commonly uses temporary email services.
• Cloud Network: If your users access your site from cloud-hosted virtual desktops.
• No Pointer Movement / No Pointer Curve: For users who navigate primarily via keyboard.
• AI Assistant: For users who access your site through AI-powered browsing tools as part of their normal workflow.

Use signal combinations and limit results to specific pages, selectors, and elements to distinguish genuine threats from benign activity. If a signal is overly noisy, consider combining it with other signals to narrow your results.

Can I use these signals to block users?

Fullstory's suspicious activity detection is observational—it surfaces sessions for review but does not block or intercept traffic. These signals are designed to inform your security and product teams, not to serve as an active defense layer.

Can I use these signals to limit capture of bot sessions?

Yes, and we recommend creating specific combinations of signals in a segment and verifying before blocking such traffic. While the Full Page Resize signal is highly indicative of a bot, the No Pointer Movement signal may occur legitimately within a user's session. Once a segment is created, you can create a metric for these user sessions to group by IP address or User-Agent. Either can be used to block session capture. See ways to block data capture.

Do Suspicious Activity events export to Anywhere: Warehouse?

At this time, Suspicious Activity events export as Raw Data, but not in Ready to Analyze Views. Ready to Analyze Views have a legacy fs_suspicious_kind that applies only the SQL Injection and XSS Injection signals.