Trigger, pattern and rule configuration

This article guides you through the configuration of a set of two triggers with patterns that are known to work well for most initial Airlock Anomaly Shield configurations and are reliably detecting anomalous traffic created by unwanted bots. The triggers are subsequently assigned to a set of two rules.

Procedure-related prerequisites

  • An Anomaly Shield application must be configured and trained.

Triggers configuration

  1. In the following, we create two Anomaly Shield triggers and patterns:
  2. A trigger to match for all 4 of the primary indicators Graph Metrics Cluster, Isolation Forest, Status Code Meta, and Timing Cluster. Malicious sessions trigger this trigger.
  3. A trigger to match if 3 of the 4 primary indicators report an anomalous session. Suspicious sessions trigger this trigger.

In combination with anomaly indicator patterns and/or a minimum number of anomaly indicator bits (minimal bit count), triggers define at which anomaly level the Anomaly Shield will react. Anomaly Shield rules define the action that is taken when an anomalous session has triggered a trigger.

  1. Go to:
    Application Firewall >> Anomaly Shield Triggers & Rules
  2. Click the + button to add a new Anomaly Shield Trigger.
  3. The Anomaly Shield Trigger detail page opens up.
  4. Configure the first trigger with a minimal bit count of 4.

      5. The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.

  5. Click the + button to add new patterns and select the indicators as follows:
    6. AAC Bitcount 4 initial trigger example
  6. Back on the menu Anomaly Shield Triggers & Rules, add a second trigger with the following settings:
    7. AAS trigger mit Bitcount 3
  7. The new triggers have to be referenced by Anomaly Shield rules. Proceed with the rules configuration.

About pattern indicators

  • From the six available indicators, we recommend using:
  • Graph Metrics Cluster
  • Isolation Forest
  • Status Code Meta
  • Timing Cluster

These indicators have proven to be very reliable in detecting anomalous traffic created by unwanted bots.

Each indicator can be configured by clicking on the dots – the following settings are available:

    Icon - Gray dot - OFF

    Grey dot – the pattern will match either normal or anomalous behavior of this indicator.

    Icon - Red dot

    Red dot – the pattern will match if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – the pattern will match if this indicator shows normal behavior.

Rules configuration

Rules define how the Anomaly Shield reacts when a trigger has been activated, e.g. marking a session as anomalous (soft action) or even terminating it (hard action). In the course of this article, we will assign the previously created initial triggers.

  1. Go back to:
    Application Firewall >> Anomaly Shield Triggers & Rules
  2. In the section Rules, click the + button to add a new Anomaly Shield Rule.
  3. The Anomaly Shield Rule detail page opens up.
  4. In section Triggers, click the + button and select the trigger Malicous_Session from the drop-down list.
  5. In section Actions, select the type of actions as followed:
    6. 7.8_Hard_Action AS Rule Example
  6. Back on the menu Anomaly Shield Triggers & Rules, add a second rule with the following settings:
    7. 7.8_Soft_Action AS Rule Example
  7. Finish the configuration by adding the rules as Response Rules to your Instruction part 3 – Configure the anomaly detection and response.