I keep the Security Level settings set to the Medium.
Using my Custom WAF Rule, I adjusted and tuned my settings even more to fulfill my needs of blocking more things out there on the Internet.
Simply setting the security level to “Medium” won’t directly achieve this. You can use Custom WAF Rules to specifically challenge or block requests based on various criteria, including IP reputation.
Furthermore, if interested, Cloudflare offers a feature which is available on Enterprise plans, which analyzes and assigns a risk score to an IP address based on various factors such as historical behavior, patterns, etc. If an IP reaches a certain risk score threshold, it may be flagged as suspicious or malicious.
Nevertheless, if you are using Cloudflare’s Bot Management feature, Super Bot Fight Mode is available at least on a Pro plan type, while higher-tier plans typically Enterprise, Cloudflare will automatically detect bots and assign risk scores to incoming IPs based on their behavior. You can then use Cloudflare’s Custom WAF Rules to block or challenge IPs with high bot scores.
Another option is to use Rate Limiting feature in Cloudflare, which can challenge or block traffic from IPs that exceed a certain threshold of requests in a specified time period as it can help to mitigate aggressive traffic patterns.
To conclude, without knowing your goal, the best case is to combine all the available Security options for your case and adjust them per need.