This article guides you through the configuration of a set of triggers with patterns that are known to work well for most initial Airlock Anomaly Shield configurations. This configuration is known to reliably detect anomalous traffic created by unwanted bots and query parameters. The triggers are subsequently assigned to a set of rules.
Triggers configuration
- In the following, we create three Anomaly Shield triggers with patterns:
- A trigger to match for all 4 of the primary indicators Graph Metrics Cluster, Isolation Forest, Status Code Meta, and Timing Cluster. This trigger aims for malicious sessions.
- A trigger to match 3 of the 4 primary indicators. This trigger aims for suspicious sessions.
- A trigger to match 2 primary indicators plus Query Parameters. This trigger aims for sessions with suspicious queries.
In combination with anomaly indicator patterns and/or a minimum number of anomaly indicator bits (minimal bit count), triggers define at which anomaly level the Anomaly Shield will react. Anomaly Shield rules define actions taken when an anomalous session has triggered a trigger.
- Go to:
Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Triggers - Click the + button to add a new Anomaly Shield Trigger.
- The Anomaly Shield Trigger detail page opens up.
- Set a minimal bit count as the trigger threshold to 4.
- Click the + button to add new patterns and select the indicators as follows:
- Back on tab Triggers & Rules, add a trigger with the following settings:
- Back on tab Triggers & Rules, add the final trigger with the following settings:
- The new triggers have to be referenced by Anomaly Shield rules. Proceed with the rules configuration.
The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.
Rules configuration
Rules define how the Anomaly Shield reacts when a trigger has been activated, e.g. marking a session as anomalous (soft action) or even terminating it (hard action). In the course of this article, we will assign the previously created initial triggers.
- Go back to:
Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Rules - Click the + button to add a new Anomaly Shield Rule.
- The Anomaly Shield Rule detail page opens up.
- In section Triggers, click the + button and select the trigger Malicous_Session from the drop-down list.
- In section Actions, select the type of actions as followed:
- Back on tab Triggers & Rules, add a rule with the following settings:
- Back on tab Triggers & Rules, add the final rule with the following settings:
About pattern indicators
- From the available indicators, we recommend using:
- Graph Metrics Cluster
- Isolation Forest
- Status Code Meta
- Timing Cluster
- Query Parameter
These indicators have proven to be very reliable in detecting anomalous traffic created by unwanted bots.
Each indicator can be configured by clicking on the dots – the following settings are available:
Grey dot – the pattern will match either normal or anomalous behavior of this indicator. | |
Red dot – the pattern will match if this indicator shows anomalous behavior. | |
Green dot – the pattern will match if this indicator shows normal behavior. |