How to install Azion Bot Protection from Azion Marketplace

Azion Bot Protection is a serverless integration available at Azion Marketplace. It analyzes incoming requests using an edge function running on Edge Firewall and assigns a score based on rules and behaviors. If the score exceeds a predetermined threshold, the integration declines or cancels the request.

Using advanced algorithms that analyze the behavior of incoming data, the integration can detect and prevent malicious activities such as credential stuffing, vulnerability scanning, and site scraping.

The system employs Reputation Intelligence to establish a profile of each person who visits the site, including location, device type, and browsing patterns. This enables the prompt detection of suspicious behavior and the implementation of preventive measures against potential threats.

Getting the integration

To use Azion Bot Protection:

Access Real-Time Manager (RTM) > Marketplace.
On the Marketplace’s homepage, select the integration’s card.
Once the integration’s page opens, click the Get It Now button, at the bottom-right corner of the page.

A successful message appears to confirm your integration is installed.

Configuring the integration

Setting up the Edge Firewall

To instantiate Azion Bot Protection, follow the steps:

On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
Click the Add Rule Set button.
Give an easy-to-remember name to your new rule.
Select the domains you want to protect with the function.
Enable the Edge Functions switch in the Edge Firewall Modules section.
Click the Save button.

Done. Now you’ve instantiated the rule for your function and have access to edge functions on your edge firewall.

Setting up the function

While still on the Edge Firewall page:

Select the Functions tab.
Click the Add Function button.
Give an easy-to-remember name to your instance.
On the dropdown menu, select the Azion Bot Protection function.

This action will load the function, showing a form with the function code and, just above it, two tabs: Code and Args.

On the Args tab, you’ll pass your variables.

{
  "threshold": 10,
  "action": "deny"
}

Even when threshold and action are mandatory variables to be defined, you can add and define more variables, according to your needs, as shown in the example below that includes integration with a SIEM.

{
  "threshold": 10,
  "action": "deny",
  "disabled_rules": [],
  "reputation_network_lists": [2357, 2358, 2358, 2360],
  "log_tag": "log_tag",
  "siem_integration": true,
  "send_data_to_siem_when": "always",
  "siem_connection_args": {
    "host": "example.com",
    "uri": "/inspect/",
    "port": "443",
    "scheme": "https",
    "additional_headers": {
      "X-Test": "a test goes here",
      "X-Another-Test": "another test goes here"
    }
  }
}

Where:

Variable	Type	Required	Description
`threshold`	Number	Yes	The maximum score that the request can reach before the function takes an action. If it has no value, the function won’t take action
`action`	String	Yes	The action to be taken by the function whenever the request’s score is greater or equals the defined threshold. Possible values: `deny`, `drop`, and `log` (to send the data to the SIEM endpoint, if integrated)
`log_tag`	String	No	A tag to identify the function instance which generated the request
`log_all_headers`	Boolean	No	Defines whenever or not all the request headers should be sent in the function’s log. Note: the headers’ values are going to be printed with base64 encode
`disabled_rules`	Array of numbers	No	The rules to be disabled. If a rule is disabled, it won’t be processed nor increment the request score
`reputation_network_lists`	Array of numbers	No	Every network list that should be used to validate the request IP. If the request IP is found in a list, then the request score will be increased. If the request IP is found in multiple lists, the score will be increased by multiple times
`session_signature_key`	String	No	To sign the `az_asm`. If this field has no value or an invalid value, the function will use the default value `azion`
`siem_integration`	Boolean	No	Defines if the request data should perform POST to an external endpoint. Default value: `false`
`send_data_to_siem_when`	String	No	Defines when the request data should be sent to the external endpoint (if `siem_integration` is enabled). Possible values: `always`, ‘deny’, `drop`, or `log` (to send the data to the SIEM endpoint, if integrated)
`siem_connection_args`	Table	Yes, with `siem_integration` enabled	The arguments to be used in the POST to the external endpoint
`siem_connection_args.host`	String	Yes, with `siem_integration` enabled	The host where the data will be POSTed to. If this field is empty, the function will be bypassed
`siem_connection_args.uri`	String	No	The URI where the data will be POSTed to. Default value: `/`
`siem_connection_args.port`	Number	No	The port where the data will be POSTed to. Default value: `443`
`siem_connection_args.scheme`	String	No	Defines the scheme to be used in the POST. Default value: `https`
`siem_connection_args.additional_headers`	Table	No	Additional headers to be sent in the POST. The function will always send the following headers: `["Accept"] = "application/json"`, `["Content-Type"] = "application/json"`

When you’re done, click the Save button.

Setting up the Rules Engine

To finish, you have to set up a Rules Engine to configure the behavior and the criteria to run the function.

Still in the Edge Firewall page:

Select the Rules Engine tab.
Click the New Rule button.
Give an easy-to-remember name to the rule.
- You can add a description, but it’s an optional step.
Select a criteria to run and catch the domains that you want to run the integration on.
- Use this rule: if Request URI does not match "\.(png|jpg|css|js|jpeg|gif|ico|ttf|svg|woff|woff2|ashx|asmx|svc|swf|otf|eot)(\?.*)?$"
  - This rule is necessary to exclude all static data on your application.
You have to create another criteria for this integration to work: if Request URI does not match /.well-know/
- This rule is necessary to create a list of allowed IPs that doesn’t impact automation or scripts to WEB API.
Below, select a behavior to the criteria. In this case, it’ll be Run Function.
Select the adequate function according to the name you gave it in the instantiate step.
Click the Save button.

Done. You now have your domains protected against bot attacks by using Azion Bot Protection.

Integrating with a SIEM

If you require the Bot Protection logs, you may join a SIEM platform to obtain full data. To do so, in the Arguments tab, update the function and put in the SIEM connection data.

SIEM connection example

{
"siem_integration": true,
  "send_data_to_siem_when": "always",
  "siem_connection_args": {
    "host": "example.com",
    "uri": "/inspect/01g43ftztkqgvcr65pjwbr0227",
    "port": "443",
    "scheme": "https",
    "additional_headers": {
      "Authorization": "secret123"
      }
   }
}

Log example

When logs are sent to the SIEM, you’ll receive the following information:

{
  "geoip_region": "SP",
  "action": "deny",
  "asn": "396982",
  "request_id": "9581e2b51b5a082b12fed308f4eae564",
  "host": "xxxxxxx.map.azionedge.com",
  "classified": "bad bot",
  "geoip_country": "BR",
  "http_user_agent": "curl/7.87.0",
  "bot category": [
    "Bad Bot Signatures"
  ],
  "request_uri": "/a",
  "remote_addr": "34.95.175.91",
  "score": 8
}

Important

Azion will provide you with easy-to-go configurations, that should be enough for most of the cases. If you need a more detailed configuration, such as custom rules, you can edit the JSON file for the integration.

To find this file:

On the upper-left corner, select Products menu > Edge Firewall in the SECURE section.
Select the one related to Bot Protection.
Open the Functions tab to load the integration’s source-code form.
Select the Args tab.

This will load a JSON file where you’ll be able to tune Azion Bot Protection according to the necessities of your business.

Contributors