A bot score is not enough for incident review.
Preserve the reason
Logs should show which signals contributed to the decision, which control fired, and what happened afterward.
Join across systems
Bot investigations usually cross CDN, application, identity, and support systems. Shared identifiers make that possible.
Review false positives
SOC workflows should include reversals, complaints, and business impact, not only confirmed abuse.