Part 3 – Trigger, pattern and rule configuration

This article guides you through the configuration of a set of triggers with patterns that are known to work well for most initial Airlock Anomaly Shield configurations. This configuration is known to reliably detect anomalous traffic created by unwanted bots and query parameters. The triggers are subsequently assigned to a set of rules.

Triggers configuration

  1. In the following, we create three Anomaly Shield triggers with patterns:
  2. A trigger to match for all 4 of the primary indicators Graph Metrics Cluster, Isolation Forest, Status Code Meta, and Timing Cluster. This trigger aims for malicious sessions.
  3. A trigger to match 3 of the 4 primary indicators. This trigger aims for suspicious sessions.
  4. A trigger to match 2 primary indicators plus Query Parameters. This trigger aims for sessions with suspicious queries.

In combination with anomaly indicator patterns and/or a minimum number of anomaly indicator bits (minimal bit count), triggers define at which anomaly level the Anomaly Shield will react. Anomaly Shield rules define actions taken when an anomalous session has triggered a trigger.

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Triggers
  2. Click the + button to add a new Anomaly Shield Trigger.
  3. The Anomaly Shield Trigger detail page opens up.
  4. Set a minimal bit count as the trigger threshold to 4.

      5. The Minimal Bit Count setting is a threshold that is evaluated on top of the anomaly indicator patterns. When patterns have been configured, a trigger is only activated if any of the configured indicator patterns match and the bit count threshold is reached.

  5. Click the + button to add new patterns and select the indicators as follows:
    6. AAC Bitcount 4 initial trigger example
  6. Back on tab Triggers & Rules, add a trigger with the following settings:
    7. AAS Trigger Suspiciout Query
  7. Back on tab Triggers & Rules, add the final trigger with the following settings:
    8. AAS trigger mit Bitcount 3
  8. The new triggers have to be referenced by Anomaly Shield rules. Proceed with the rules configuration.

Rules configuration

Rules define how the Anomaly Shield reacts when a trigger has been activated, e.g. marking a session as anomalous (soft action) or even terminating it (hard action). In the course of this article, we will assign the previously created initial triggers.

  1. Go back to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Rules
  2. Click the + button to add a new Anomaly Shield Rule.
  3. The Anomaly Shield Rule detail page opens up.
  4. In section Triggers, click the + button and select the trigger Malicous_Session from the drop-down list.
  5. In section Actions, select the type of actions as followed:
    6. ASS Rule hard action
  6. Back on tab Triggers & Rules, add a rule with the following settings:
    7. AAS Rule Suspicious Query Action
  7. Back on tab Triggers & Rules, add the final rule with the following settings:
    8. AAS Rule soft action

About pattern indicators

  • From the available indicators, we recommend using:
  • Graph Metrics Cluster
  • Isolation Forest
  • Status Code Meta
  • Timing Cluster
  • Query Parameter

These indicators have proven to be very reliable in detecting anomalous traffic created by unwanted bots.

Each indicator can be configured by clicking on the dots – the following settings are available:

    Icon - Gray dot - OFF

    Grey dot – the pattern will match either normal or anomalous behavior of this indicator.

    Icon - Red dot

    Red dot – the pattern will match if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – the pattern will match if this indicator shows normal behavior.