Part 3 – Trigger, pattern and rule configuration

This article guides you through the configuration of a set of two triggers with patterns that are known to work well for most initial Airlock Anomaly Shield configurations and are reliably detecting anomalous traffic created by unwanted bots. The triggers are subsequently assigned to a set of two rules.

Triggers configuration

  1. In the following, we create two Anomaly Shield triggers and patterns:
  2. A trigger to match for all 4 of the primary indicators Graph Metrics Cluster, Isolation Forest, Status Code Meta, and Timing Cluster. This trigger is triggered by malicious sessions.
  3. A trigger to match if 3 of the 4 primary indicators report an anomalous session. This trigger is triggered by suspicious sessions.

In combination with anomaly indicator patterns and/or a minimum number of anomaly indicator bits (minimal bit count), triggers define at which anomaly level the Anomaly Shield will react. Anomaly Shield rules define the action that is taken when a trigger has been triggered by an anomalous session.

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Triggers
  2. Click the + button to add a new Anomaly Shield Trigger.
  3. The Anomaly Shield Trigger detail page opens up.
  4. Set a minimal bit count as the trigger threshold to 4.

      5. The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.

  5. Click the + button to add new patterns and select the indicators as follows:
    6. AAC Bitcount 4 initial trigger example
  6. Back on tab Triggers & Rules, add a second trigger with the following settings:
    7. AAS trigger mit Bitcount 3
  7. The new triggers have to be referenced by Anomaly Shield rules. Proceed with the rules configuration.

Rules configuration

Rules define how the Anomaly Shield reacts when a trigger has been activated, e.g. marking a session as anomalous (soft action) or even terminating it (hard action). In the course of this article, we will assign the previously created two initial triggers.

  1. Go back to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Rules
  2. Click the + button to add a new Anomaly Shield Rule.
  3. The Anomaly Shield Rule detail page opens up.
  4. In section Triggers, click the + button and select the trigger Malicous_Session from the drop-down list.
  5. In section Actions, select the type of actions as followed:
    6. ASS Rule hard action
  6. Back on tab Triggers & Rules, add a second rule with the following settings:
    7. AAS Rule soft action

About pattern indicators

  • From the six available indicators, we recommend using:
  • Graph Metrics Cluster
  • Isolation Forest
  • Status Code Meta
  • Timing Cluster

These indicators have proven to be very reliable in detecting anomalous traffic created by unwanted bots.

Each indicator can be configured by clicking on the dots – the following settings are available:

    Icon - Gray dot - OFF

    Grey dot – the pattern will match either normal or anomalous behavior of this indicator.

    Icon - Red dot

    Red dot – the pattern will match if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – the pattern will match if this indicator shows normal behavior.