Monitor your bot activity over Splunk
Radware’s Bot Risk Scanner (BRS) is a freemium tool that detects bots based on information in the SIEM logs, exclusive for Splunk and provides insight into the health of the incoming traffic. The in-depth analysis helps you determine what actions you should take to prevent any malicious attack on your applications. This tool is a monitor only service plugged on top of the SIEM logs in Splunk, that categorizes the incoming traffic as human, or bot based on Radware’s collective bot intelligence.
Why Radware Bot Risk Scanner
Radware’s Bot Risk Scanner offers a hassle-free zero touch solution for monitoring traffic activity, especially when your application’s access logs are stored in Splunk. The beauty of it is that there’s no need for external integrations, additional dashboard overhead, or extra hardware installations.
Moreover, the Bot Risk Scanner leverages the collective intelligence of Radware’s bot Manager to minimize false positives, ensuring a more accurate assessment of potential threats. What’s even more enticing is that you can access all these benefits at no cost, making the Bot Risk Scanner an excellent tool to assess your application’s risk profile before committing to any bot solution. It’s a straightforward and cost-effective way to bolster your security without unnecessary complexities or expenses.
Steps to enable Bot Risk Scanner
To get started with the BRS, follow these steps:
Select the Radware Bot Risk Scanner App on the Splunk Marketplace
Save Configuration Details:
- Splunk Field Name: Input field from the source Splunk index [Field Format: ip | url | useragent | referrer] In this IP, URL, User Agent are required parameters while referrer is optional.
- Splunk Index Name: Index name that points to the data in Splunk for analysis.
- Promotional Code: This is an optional field, and if you feel you need more quotas, please send us an email to brs@radware.com and the Radware team will share the unique promotional code for your account.
- Email ID: Email ID is required to activate the license.
Verify Saved Search (Navigate to Settings > Searches, reports, and alerts. You will find a saved search created for review) as a sample.
Navigate to “Dashboard” tab to analyze your data.
The dashboard provides the following visualizations and information:
- Bot Signature Count: Total number of unique signatures created against bots (Includes Crawler and Aggregator) by Radware Bot Risk Scanner.
- Total Request: Total number of packets in the Source Index scanned by Radware Bot Risk Scanner.
- Impacted URL’s: Total number of URL’s being impacted by Bot Attacks.
- Bot Requests: Total number of packets classified as bots (Includes Crawler and Aggregator) by Radware Bot Risk Scanner.
- Avg. Attack Duration | Top 10 IP’s: Average time spent by top 10 IP Address while performing Bot attacks.
- Crawler Stats: Total number of packets classified as Crawlers by Radware Bot Risk Scanner.
- Bot Traffic Trend: Bot traffic trend per hour classified by Radware Bot Risk Scanner.
- Aggregator Stats: Total number of packets classified as Aggregators by Radware Bot Risk Scanner.
- Bot Classification: Types of bots classified by Radware Bot Risk Scanner.
- Top Attack based on IP Address: List of IP’s classified as Bad by Radware Bot Risk Scanner along with ISP, City, Country, and Total hits made by individual IP within the selected period.
- Top 10 Referrer URL’s Impacted by Bots: List of top 10 referrers and the number of bad bot hits on each URL within the selected period.
- Global Distribution & Top 10 City Based on Attack:
- Top 10 URL’s Impacted by Bots: List of the top 10 URL’s and the number of bad bot hits on each URL within the selected period.
Limitation & Debugging:
- It is not recommended to change the Bot Risk Scanner job frequency. Doing so would increase your overall API Calls which will be calculated against your free quota.
- There is a limit of 50k results for top command. Please refer to the specifications here limits.conf or in your instance in [$SPLUNK_HOME/etc/system/README/limits.conf.spec].
- The _bump endpoint in Splunk is used to force a refresh of Splunk’s cache. This can be useful if you have made changes to your Splunk configuration or data and need to see the changes take effect immediately.
Conclusion
While the Bot Risk Scanner primarily serves as a monitoring tool, its capacity to provide in-depth insights into malicious traffic can serve as a strong starting point to bolster security. From only monitoring, users can seamlessly transition into active protection by upgrading to Radware Bot Manager.
The Bot Risk Scanner can also be an invaluable tool when there is an existing system for protection. It offers the opportunity for teams to conduct proof reviews, thoroughly assessing the effectiveness of their current protection capabilities. If you are a Splunk user, the Free Bot Risk Scanner from Radware is a must have tool to understand, monitor, and enhance your security posture.
