The event management feature currently supports viewing, analyzing, and handling detected bot risk events. By combining expert recommendations, it categorizes and mitigates risks, continuously operates defense policies, and achieves a closed-loop handling of bot risk events. It currently supports detection of the following six types of bot risk events:
Note:
It analyzes and alarms only on the current traffic that is not mitigated (not handled, the action performed is a monitoring action), and displays aggregated priority risk events for attention and handling.
Event Type
Event Description
Crawler bots
These bots are used for capturing and indexing website content. Excessive capturing may lead to high server load, impact website performance, or even steal sensitive data.
Malicious scanning bots
These bots automatically scan websites and services on the Internet, looking for known vulnerabilities and weaknesses. They may cause unauthorized access, data leakage, denial of service attacks, and other security issues.
Distributed Denial of Service (DDoS) bots
These bots are used to launch DDos attacks, which may paralyze the target website or service, affect normal user usage, and cause significant losses to the victim.
Spam-sending bots
These bots are used to send spams, which may contain advertisements, malicious links, or phishing emails. It can cause users to receive a large amount of spams, affecting their user experience, and may lead to security issues such as fraud and malware propagation.
Social media automation bots
These bots are used for automatic posting, liking, following, and commenting on social media platforms. It can cause inaccurate data on social media platforms, harming both regular users and the social media platforms.
Custom bots
These bots support custom rules, accurately identify the bot traffic based on the specified behaviors and characteristics configured, and analyze and aggregate the unmitigated traffic hitting custom rules for the second time, forming custom bot events.
Directions
1. Log in to the WAF console and choose Event Management > BOT Events in the left sidebar.
2. On the bot events page, click the All Domain Names dropdown in the upper left corner, and select the domain name you want to view. It supports filtering whether bot management is enabled for the current domain name.
If the Bot Switch is enabled, you can start using the related features.
If the Bot Switch is not enabled, go to the Access Management page, filter the domain names under the instances that have purchased bot management and need to enable the Bot Switch, and click
to enable the switch.
3. On the bot event management page, a statistical overview of various events is displayed, including the total number of events, number of events detected today, number of detected events, number of handled events, and number of handling bot events.
Field Name
Description
Total number of events
Total number of bot events under the current domain name.
Detected today
Total number of bot events detected today under the current domain name.
Detected
Total number of detected bot events under the current domain name.
Handled
Total number of handled bot events under the current domain name.
Handling
Total number of handled bot events under the current domain name.
Ignored
Total number of ignored bot events under the current domain name.
4. On the bot event management page, you can retrieve bot event data within a specified time range.
5. The event list primarily includes the bot event data list, bot event status change, bot event details display, bot event search, and bot event download features.
BOT event data list: You can view the bot event list for the selected time range under the current domain name.
Field Name
Description
Event ID
BOT event name.
Event type
BOT event type.
Matched Rule ID
Detection rules specifically hit by bot events.
Event level
BOT event risk level.
Domain name
Domain names associated with bot events.
Status of handling
Current event status of the bot event.
Detected: Detected and unconfirmed bot events.
Handling: Bot events with risks being confirmed and related rules being configured. This status includes processing suggestions for the event type (CC/access control/bot, etc.), and appropriate rules can be added with one click.
Handled: BOT event with risks confirmed and handling rules added.
Ignored: Confirm as not requiring to be handled and ignore it.
Disabled: Observe access traffic and attack traffic situation, confirming that the event can be completely closed.
Detection time
Earliest detection time of the bot event.
Last update
Most recent update time of the bot event.
Operation
Handle events and view details.
Handle events:
Add now: Click to adjust the handling status of the current hit rules and intercept malicious requests.
Status changed: Click to process the status change of the current bot event.
Username: It cannot be empty and is the current console account name by default.
Remarks: Enter the corresponding remarks.
Suggestions: Depending on the event type, provide corresponding suggestions. You can click Add Now to add the corresponding handling rules.
View details: Click View details to see the event details of the current bot event.
Field Name
Description
Basic information
It mainly includes Event ID, Event type, Occurrence time, update time, rule ID, associated domain names, attacker IP, and event details.
Suggestions
Depending on the event type, provide corresponding suggestions. You can click One-Click Interception or dropdown Switch Execution Action to handle the relevant traffic.
Attack source details
Event attack source details.
Change history
History of event status changes.
Bot event search: You can search by rule ID or related domain names.
Bot asset download: click
, select the required fields, and click Export to download the data list.
Event Alarm
On the System Management page, select System Settings > Event alarm to modify the Event alarm switch or click Settings.
Alarm switch: click
to turn on the switch. The switch is on by default. Once it is enabled, newly found risk events detected in the Event Management feature are summarized every day/hour, and notifications are pushed through channels such as the message center. Notifications for known risky events are not sent repeatedly.
Settings: Supports customizing alarm type and alarm frequency.
Alarm type: Supports selecting bot events and API events. It is recommended to select events of all different risk levels for alarms.
Alarm time: Supports selecting daily or hourly summary alarms. The default is to alarm at 10 AM daily.
Daily summary: Supports setting the notification time for daily alarms and summarizing all new event alarms once at the specified time each day.
Hourly summary: Supports setting the time period for notifications, with alarms pushed hourly at the beginning of the hour within the specified time range. Notifications will not be sent outside the set time points or time periods.
Receiving channel and recipient settings: To modify the message recipient or receiving method, go to Message Center, and select Product service notifications for settings.
