Working with Airlock Anomaly Shield dashboards

After installation/upgrade of Airlock Gateway, the GATEWAY Anomaly Shield and GATEWAY Offender Overview dashboards with Airlock Anomaly Shield (AAS)-related lenses are available in Submenu – Log Viewer. This article contains basic information about the use of these dashboards and their lenses.

Dashboard

Lenses

GATEWAY Anomaly Shield

  • AAS sessions assessment
  • AAS IP aggregates
  • AAS total of evaluated sessions
  • AAS attack heatmap
  • AAS False Positive candidates
  • AAS Top offender candidates

GATEWAY Offender Overview

  • AAS potential offender behavior over time
  • AAS entry path client error
  • AAS entry path server error

Note that you can narrow the scope of the dashboards by filtering on respective mapping using a KQL filter.

KQL syntax (filter)

Lens – AAS sessions assessment

AAS session assessment

This lens shows all unique sessions in green against sessions with an IP block induced by Airlock Anomaly Shield.

  • Description:
  • All Sessions include sessions from all mappings. This also includes sessions from mappings that Airlock Anomaly Shield does not protect.
  • All Sessions include sessions that are too short to be evaluated by Airlock Anomaly Shield (by default, sessions with less than 15 requests).
  • Anomalous sessions have at least one Airlock Anomaly Shield IP block.

Lens – AAS IP aggregates

AAS IP aggregates assessment

This lens shows the occurrence of IP blocks for traffic which is analyzed using IP aggregation.

  • Description:
  • The visualized count is not unique – a single IP can produce several Airlock Anomaly Shield IP blocks. However, this graph is a useful indication of either an excessive attack from one IP or simultaneous attacks from several IP.

Lens – AAS total of evaluated sessions

AAS total of evaluated sessions

This lens shows the overall distribution of normal and malicious sessions.

  • Description:
  • Malicious sessions are shown in orange.
  • Good sessions are shown in green. Note that the graph also includes good sessions from mappings that Airlock Anomaly Shield does not protect.

The traffic can be narrowed down to single mappings. This allows you to check which of the mappings is more relevant for attackers.

Lens – AAS attack heatmap

AAS attack heatmap

This lens shows a breakdown of mappings and triggers.

  • Description:
  • This graph indicates which mapping (y-axis) might be at a high risk of attack.
  • The triggers (x-axis) represent the triggers as configured for your specific applications.

Lens – AAS False Positive candidates

AAS False Positive candidates (apply filter)

This lens shows potential false-positive candidates. For further session analyses, you can call up Show details in the context menu.

  • Description:
  • False Positives are sessions that have none or a low count of blocked and/or bad requests, yet are still flagged as anomalous by Airlock Anomaly Shield.
  • In our example screenshot, all false-positive candidates have the suspicious session trigger activated and can be considered harmless bots.
  • Depending on your trigger configuration, the number of table columns might vary.
  • As a rule of thumb, the more strict the triggers are, the fewer false-positive results can be expected.

Lens – AAS Top offender candidates

AAS Top offender candidates

This lens shows the most notorious attackers you should consider to put on the Section – IP Blacklist. For further session analyses, you can call up Show details in the context menu to inspect a specific IP even further.

  • Description:
  • The AAS blocks column refers to the number of IP blocks triggered by the respective IP. Note, that an attacker with a blocked IP will still most likely try to send requests, which will result in HTTP Status 503, as the backend would not be reachable for the attacker.
  • The Bad HTTP code column refers to HTTP status codes for client-side (40x) and server-side (50x) errors.
  • The Bot Check Fails column refers to the Bot Management feature, which enforces the reflection of the assigned cookie. Normal session and bots respecting cookies would have 1-2 bot checks. A high number indicates a bot that does not respect cookies.

Lens – AAS potential offender behavior over time

AAS potential offender behaviour over time

This lens shows the count of HTTP status over time separating good/bad response and AAS evaluation.

  • Description:
  • HTTP requests with 20x and 30x status codes in green. These are heuristically considered as good requests
  • HTTP requests with 40x and 50x status codes in orange. These are heuristically considered as bad requests
  • Red vertical bars represent Airlock Anomaly Shield IP blocks.

Lens – AAS entry path client error

AAS entry path client error

This table shows requests with client error HTTP response codes 40x. This overview helps to find out, whether the client tried to access dead links, unauthorized content, or forcefully browsed your application.

Lens – AAS entry path client error

AAS entry path server error

This table shows requests with server error HTTP response codes 50x. After Airlock Anomaly Shield blocks a client IP, all requests from this IP will respond with 503 status code for the duration of the IP block. This overview helps you to understand, how the client reacts to the IP block.