How to install Azion Bot Protection from Azion Marketplace

Azion Bot Protection is a serverless integration available at Azion Marketplace. It analyzes incoming requests using an edge function running on Edge Firewall and assigns a score based on rules and behaviors. If the score exceeds a predetermined threshold, the integration declines or cancels the request.

Using advanced algorithms that analyze the behavior of incoming data, the integration can detect and prevent malicious activities such as credential stuffing, vulnerability scanning, and site scraping.

The system employs Reputation Intelligence to establish a profile of each person who visits the site, including location, device type, and browsing patterns. This enables the prompt detection of suspicious behavior and the implementation of preventive measures against potential threats.


To use Azion Bot Protection:

  1. Access Real-Time Manager (RTM) > Marketplace.
  2. On the Marketplace’s homepage, select the integration’s card.
  3. Once the integration’s page opens, click the Get It Now button, at the bottom-right corner of the page.

A successful message appears to confirm your integration is installed.


To instantiate Azion Bot Protection, follow the steps:

  1. On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
  2. Click the Add Rule Set button.
  3. Give an easy-to-remember name to your new rule.
  4. Select the domains you want to protect with the function.
  5. Enable the Edge Functions switch in the Edge Firewall Modules section.
  6. Click the Save button.

Done. Now you’ve instantiated the rule for your function and have access to edge functions on your edge firewall.

While still on the Edge Firewall page:

  1. Select the Functions tab.
  2. Click the Add Function button.
  3. Give an easy-to-remember name to your instance.
  4. On the dropdown menu, select the Azion Bot Protection function.

This action will load the function, showing a form with the function code and, just above it, two tabs: Code and Args.

On the Args tab, you’ll pass your variables.

{
"threshold": 10,
"action": "deny"
}

Even when threshold and action are mandatory variables to be defined, you can add and define more variables, according to your needs, as shown in the example below that includes integration with a SIEM.

{
"threshold": 10,
"action": "deny",
"disabled_rules": [],
"reputation_network_lists": [2357, 2358, 2358, 2360],
"log_tag": "log_tag",
"siem_integration": true,
"send_data_to_siem_when": "always",
"siem_connection_args": {
"host": "example.com",
"uri": "/inspect/",
"port": "443",
"scheme": "https",
"additional_headers": {
"X-Test": "a test goes here",
"X-Another-Test": "another test goes here"
}
}
}

Where:

VariableTypeRequiredDescription
thresholdNumberYesThe maximum score that the request can reach before the function takes an action. If it has no value, the function won’t take action
actionStringYesThe action to be taken by the function whenever the request’s score is greater or equals the defined threshold. Possible values: deny, drop, and log (to send the data to the SIEM endpoint, if integrated)
log_tagStringNoA tag to identify the function instance which generated the request
log_all_headersBooleanNoDefines whenever or not all the request headers should be sent in the function’s log. Note: the headers’ values are going to be printed with base64 encode
disabled_rulesArray of numbersNoThe rules to be disabled. If a rule is disabled, it won’t be processed nor increment the request score
reputation_network_listsArray of numbersNoEvery network list that should be used to validate the request IP. If the request IP is found in a list, then the request score will be increased. If the request IP is found in multiple lists, the score will be increased by multiple times
session_signature_keyStringNoTo sign the az_asm. If this field has no value or an invalid value, the function will use the default value azion
siem_integrationBooleanNoDefines if the request data should perform POST to an external endpoint. Default value: false
send_data_to_siem_whenStringNoDefines when the request data should be sent to the external endpoint (if siem_integration is enabled). Possible values: always, ‘deny’, drop, or log (to send the data to the SIEM endpoint, if integrated)
siem_connection_argsTableYes,
with siem_integration enabled
The arguments to be used in the POST to the external endpoint
siem_connection_args.hostStringYes,
with siem_integration enabled
The host where the data will be POSTed to. If this field is empty, the function will be bypassed
siem_connection_args.uriStringNoThe URI where the data will be POSTed to. Default value: /
siem_connection_args.portNumberNoThe port where the data will be POSTed to. Default value: 443
siem_connection_args.schemeStringNoDefines the scheme to be used in the POST. Default value: https
siem_connection_args.additional_headersTableNoAdditional headers to be sent in the POST. The function will always send the following headers: ["Accept"] = "application/json", ["Content-Type"] = "application/json"
  1. When you’re done, click the Save button.

To finish, you have to set up a Rules Engine to configure the behavior and the criteria to run the function.

Still in the Edge Firewall page:

  1. Select the Rules Engine tab.
  2. Click the New Rule button.
  3. Give an easy-to-remember name to the rule.
    • You can add a description, but it’s an optional step.
  4. Select a criteria to run and catch the domains that you want to run the integration on.
    • Use this rule: if Request URI does not match "\.(png|jpg|css|js|jpeg|gif|ico|ttf|svg|woff|woff2|ashx|asmx|svc|swf|otf|eot)(\?.*)?$"
      • This rule is necessary to exclude all static data on your application.
  5. You have to create another criteria for this integration to work: if Request URI does not match /.well-know/
    • This rule is necessary to create a list of allowed IPs that doesn’t impact automation or scripts to WEB API.
  6. Below, select a behavior to the criteria. In this case, it’ll be Run Function.
  7. Select the adequate function according to the name you gave it in the instantiate step.
  8. Click the Save button.

Done. You now have your domains protected against bot attacks by using Azion Bot Protection.


If you require the Bot Protection logs, you may join a SIEM platform to obtain full data. To do so, in the Arguments tab, update the function and put in the SIEM connection data.

{
"siem_integration": true,
"send_data_to_siem_when": "always",
"siem_connection_args": {
"host": "example.com",
"uri": "/inspect/01g43ftztkqgvcr65pjwbr0227",
"port": "443",
"scheme": "https",
"additional_headers": {
"Authorization": "secret123"
}
}
}

When logs are sent to the SIEM, you’ll receive the following information:

{
"geoip_region": "SP",
"action": "deny",
"asn": "396982",
"request_id": "9581e2b51b5a082b12fed308f4eae564",
"host": "xxxxxxx.map.azionedge.com",
"classified": "bad bot",
"geoip_country": "BR",
"http_user_agent": "curl/7.87.0",
"bot category": [
"Bad Bot Signatures"
],
"request_uri": "/a",
"remote_addr": "34.95.175.91",
"score": 8
}

Azion will provide you with easy-to-go configurations, that should be enough for most of the cases. If you need a more detailed configuration, such as custom rules, you can edit the JSON file for the integration.

To find this file:

  1. On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
  2. Select the one related to Bot Protection.
  3. Open the Functions tab to load the integration’s source-code form.
  4. Select the Args tab.

This will load a JSON file where you’ll be able to tune Azion Bot Protection according to the necessities of your business.


Contributors