Part 3 – Trigger, pattern and rule configuration

Airlock Anomaly Shield is preconfigured with a set of (default) trigger patterns and rules that are known to work well for most security requirements.

AAS default Trigger and Rules templates

This configuration is known to reliably detect anomalous traffic created by unwanted bots and malicious sessions. The triggers are subsequently assigned to the set of rules.

Custom trigger configuration

Custom triggers and rules may be configured to analyze traffic proactively.

In the following, we show a useful but optional configuration targeting suspicious sessions. In this case, we use Anomaly Shield trigger to match the four primary indicators Graph Metrics Cluster, Isolation Forest, Status Code Meta, and Timing Cluster.

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Triggers
  2. In section Custom Trigger, click the + button to add a new Anomaly Shield Trigger.
  3. The Anomaly Shield Trigger detail page opens up.
  4. Click the + button to create a new trigger Custom_Suspicious_Session , and to add new patterns with the following indicators:
    5. AAS trigger mit Bitcount 3
  5. The new triggers have to be referenced by Anomaly Shield rules. Proceed with the rules configuration.

If any trigger relies on the Client Behavior model, Airlock Anomaly Shield expects the injection of JavaScript in Section – Anomaly Detection mode.
Otherwise, the following error occurs:

AAS Validation Error with missing Client Behavior skript

Custom rules configuration

Rules define how the Anomaly Shield reacts when a trigger has been activated, e.g., marking a session as anomalous (soft action) or terminating it (hard action). In the course of this article, we will assign the previously created custom trigger for suspicious sessions with a custom rule with a soft action configuration.

  1. Go back to:
    Application Firewall >> Anomaly Shield >> tab Triggers & Rules >> section Rules
  2. Click the + button to add a new Anomaly Shield Rule.
  3. The Anomaly Shield Rule detail page opens up.
  4. In section Triggers, click the + button and select the trigger Custom_Suspicious_Session from the drop-down list.
  5. In section Actions, select the type of actions as follows:
    6. AAS Rule soft action
  6. Activate the configuration.
  7. Based on our custom rule, sessions detected to be suspicious will be handled according to the configured Actions on IP Aggregates and Actions on Sessions.

About pattern indicators

  • From the available indicators, we recommend using:
  • Graph Metrics Cluster
  • Isolation Forest
  • Status Code Meta
  • Timing Cluster
  • Query Parameter
  • Client Behavior (already covered by the (default) Malicous bot rule)

These indicators have proven very reliable in detecting anomalous traffic created by unwanted bots.

Each indicator can be configured by clicking on the dots – the following settings are available:

    Icon - Gray dot - OFF

    Grey dot – neutral, will match any behavior of this indicator.

    Icon - Red dot

    Red dot – matches if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – matches if this indicator shows normal behavior.