How to install Azion Bot Protection from Azion Marketplace
Azion Bot Protection is a serverless integration available at Azion Marketplace. It analyzes incoming requests using an edge function running on Edge Firewall and assigns a score based on rules and behaviors. If the score exceeds a predetermined threshold, the integration declines or cancels the request.
Using advanced algorithms that analyze the behavior of incoming data, the integration can detect and prevent malicious activities such as credential stuffing, vulnerability scanning, and site scraping.
The system employs Reputation Intelligence to establish a profile of each person who visits the site, including location, device type, and browsing patterns. This enables the prompt detection of suspicious behavior and the implementation of preventive measures against potential threats.
Getting the integration
Section titled Getting the integrationTo use Azion Bot Protection:
- Access Real-Time Manager (RTM) > Marketplace.
- On the Marketplace’s homepage, select the integration’s card.
- Once the integration’s page opens, click the Get It Now button, at the bottom-right corner of the page.
A successful message appears to confirm your integration is installed.
Configuring the integration
Section titled Configuring the integrationSetting up the Edge Firewall
Section titled Setting up the Edge FirewallTo instantiate Azion Bot Protection, follow the steps:
- On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
- Click the Add Rule Set button.
- Give an easy-to-remember name to your new rule.
- Select the domains you want to protect with the function.
- Enable the Edge Functions switch in the Edge Firewall Modules section.
- Click the Save button.
Done. Now you’ve instantiated the rule for your function and have access to edge functions on your edge firewall.
Setting up the function
Section titled Setting up the functionWhile still on the Edge Firewall page:
- Select the Functions tab.
- Click the Add Function button.
- Give an easy-to-remember name to your instance.
- On the dropdown menu, select the Azion Bot Protection function.
This action will load the function, showing a form with the function code and, just above it, two tabs: Code and Args.
On the Args tab, you’ll pass your variables.
{ "threshold": 10, "action": "deny"}
Even when threshold
and action
are mandatory variables to be defined, you can add and define more variables, according to your needs, as shown in the example below that includes integration with a SIEM.
{ "threshold": 10, "action": "deny", "disabled_rules": [], "reputation_network_lists": [2357, 2358, 2358, 2360], "log_tag": "log_tag", "siem_integration": true, "send_data_to_siem_when": "always", "siem_connection_args": { "host": "example.com", "uri": "/inspect/", "port": "443", "scheme": "https", "additional_headers": { "X-Test": "a test goes here", "X-Another-Test": "another test goes here" } }}
Where:
Variable | Type | Required | Description |
---|---|---|---|
threshold | Number | Yes | The maximum score that the request can reach before the function takes an action. If it has no value, the function won’t take action |
action | String | Yes | The action to be taken by the function whenever the request’s score is greater or equals the defined threshold. Possible values: deny , drop , and log (to send the data to the SIEM endpoint, if integrated) |
log_tag | String | No | A tag to identify the function instance which generated the request |
log_all_headers | Boolean | No | Defines whenever or not all the request headers should be sent in the function’s log. Note: the headers’ values are going to be printed with base64 encode |
disabled_rules | Array of numbers | No | The rules to be disabled. If a rule is disabled, it won’t be processed nor increment the request score |
reputation_network_lists | Array of numbers | No | Every network list that should be used to validate the request IP. If the request IP is found in a list, then the request score will be increased. If the request IP is found in multiple lists, the score will be increased by multiple times |
session_signature_key | String | No | To sign the az_asm . If this field has no value or an invalid value, the function will use the default value azion |
siem_integration | Boolean | No | Defines if the request data should perform POST to an external endpoint. Default value: false |
send_data_to_siem_when | String | No | Defines when the request data should be sent to the external endpoint (if siem_integration is enabled). Possible values: always , ‘deny’, drop , or log (to send the data to the SIEM endpoint, if integrated) |
siem_connection_args | Table | Yes, with siem_integration enabled | The arguments to be used in the POST to the external endpoint |
siem_connection_args.host | String | Yes, with siem_integration enabled | The host where the data will be POSTed to. If this field is empty, the function will be bypassed |
siem_connection_args.uri | String | No | The URI where the data will be POSTed to. Default value: / |
siem_connection_args.port | Number | No | The port where the data will be POSTed to. Default value: 443 |
siem_connection_args.scheme | String | No | Defines the scheme to be used in the POST. Default value: https |
siem_connection_args.additional_headers | Table | No | Additional headers to be sent in the POST. The function will always send the following headers: ["Accept"] = "application/json" , ["Content-Type"] = "application/json" |
- When you’re done, click the Save button.
Setting up the Rules Engine
Section titled Setting up the Rules EngineTo finish, you have to set up a Rules Engine to configure the behavior and the criteria to run the function.
Still in the Edge Firewall page:
- Select the Rules Engine tab.
- Click the New Rule button.
- Give an easy-to-remember name to the rule.
- You can add a description, but it’s an optional step.
- Select a criteria to run and catch the domains that you want to run the integration on.
- Use this rule:
if Request URI does not match "\.(png|jpg|css|js|jpeg|gif|ico|ttf|svg|woff|woff2|ashx|asmx|svc|swf|otf|eot)(\?.*)?$"
- This rule is necessary to exclude all static data on your application.
- Use this rule:
- You have to create another criteria for this integration to work:
if Request URI does not match /.well-know/
- This rule is necessary to create a list of allowed IPs that doesn’t impact automation or scripts to WEB API.
- Below, select a behavior to the criteria. In this case, it’ll be Run Function.
- Select the adequate function according to the name you gave it in the instantiate step.
- Click the Save button.
Done. You now have your domains protected against bot attacks by using Azion Bot Protection.
Integrating with a SIEM
Section titled Integrating with a SIEMIf you require the Bot Protection logs, you may join a SIEM platform to obtain full data. To do so, in the Arguments tab, update the function and put in the SIEM connection data.
SIEM connection example
Section titled SIEM connection example{"siem_integration": true, "send_data_to_siem_when": "always", "siem_connection_args": { "host": "example.com", "uri": "/inspect/01g43ftztkqgvcr65pjwbr0227", "port": "443", "scheme": "https", "additional_headers": { "Authorization": "secret123" } }}
Log example
Section titled Log exampleWhen logs are sent to the SIEM, you’ll receive the following information:
{ "geoip_region": "SP", "action": "deny", "asn": "396982", "request_id": "9581e2b51b5a082b12fed308f4eae564", "host": "xxxxxxx.map.azionedge.com", "classified": "bad bot", "geoip_country": "BR", "http_user_agent": "curl/7.87.0", "bot category": [ "Bad Bot Signatures" ], "request_uri": "/a", "remote_addr": "34.95.175.91", "score": 8}
Important
Section titled ImportantAzion will provide you with easy-to-go configurations, that should be enough for most of the cases. If you need a more detailed configuration, such as custom rules, you can edit the JSON
file for the integration.
To find this file:
- On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
- Select the one related to Bot Protection.
- Open the Functions tab to load the integration’s source-code form.
- Select the Args tab.
This will load a JSON
file where you’ll be able to tune Azion Bot Protection according to the necessities of your business.
Contributors