How to Install Azion Bot Manager Lite

Azion Bot Manager Lite is a serverless integration available in the Azion Marketplace. It was built on top of an function on Firewall, which analyzes incoming requests and assigns them a score based on a set of rules and behaviors. If the score is equal to or greater than the predetermined threshold, the integration executes the defined action. Otherwise, the request is processed (allow, as default action). Available actions for Bot Manager Lite: allow, deny, drop, redirect, custom HTML, random delay, and hold the connection.

This integration enables the detection of suspicious traffic and bad bots, facilitating the implementation of preventive measures against malicious activities such as credential stuffing, vulnerability scanning, and site scraping. Bot Manager Lite leverages machine learning and Reputation Intelligence to analyze the behavior of incoming data.


Getting the integration

To use Azion Bot Manager Lite:

  1. Access Azion Console > Marketplace.
  2. On the Marketplace’s homepage, select the integration’s card.
  3. Once the integration’s page opens, click the Install button in the bottom-right corner of the page.

A successful message appears to confirm your integration is installed.


Configuring the integration

Setting up Firewall

  1. On the upper-left corner, select Products menu > Firewall in the Secure section.
  2. Click the + Firewall button.
  3. Give an easy-to-remember name to your new firewall.
  4. Enable the Functions switch in the Modules section.
  5. Optionally, enable the Debug Rules switch to log which Rules Engine rules execute for each request. This is useful during tuning. See Using Debug Rules for details.
  6. Click the Save button.

Done. Now you’ve configured your firewall and it has access to Functions.

Setting up the function

While still on the Firewall page:

  1. Select the Functions Instances tab.
  2. Click the + Function Instance button.
  3. Give an easy-to-remember name to your instance.
  4. On the dropdown menu, select the Azion Bot Manager Lite function.

The Arguments code box is where you’ll pass your variables.

{
"threshold": 10,
"action": "deny"
}

Even when threshold and action are mandatory variables to be defined, you can add and define more variables, according to your needs, as shown in the example below:

{
"threshold": 10,
"action": "deny",
"disabled_rules": [],
"log_tag": "my_custom_tag"
}
  1. When you’re done, click the Save button.

Setting up the Rules Engine

To finish, you have to set up a Rules Engine to configure the behavior and the criteria to run the integration.

Still in the Firewall page:

  1. Select the Rules Engine tab.
  2. Click the + Rules Engine button.
  3. Give an easy-to-remember name to the rule.
    • You can add a description, but it’s an optional step.
  4. Select a criteria to run and catch the domains that you want to run the integration on.
    • Use this rule: if Request URI does not match "\.(png|jpg|css|js|jpeg|gif|ico|ttf|svg|woff|woff2|ashx|asmx|svc|swf|otf|eot)(\?.*)?$"
      • This rule is strongly recommended to exclude all static data on your application to be processed by the function. You can customize this rule if needed.
  5. You have to create additional criteria for this integration to work: if Request URI does not match /.well-know/
    • This rule is highly recommended to create a list of allowed IPs that don’t impact automation or scripts to WEB API.
  6. Below, select Run Function behavior.
  7. Select the adequate function according to the name you gave it during the instantiation step.
  8. Click the Save button.

On the Console, you must now configure your domain so it is protected by your firewall.

  1. On the Products menu, select Workloads.
  2. Click on the domain you want to protect with your Bot Manager Lite function.
  3. In the Settings section, click on the Firewall selector and choose the firewall you’ve just created.
  4. Click the Save button.

Done. You now have your domains protected against bot attacks by using Azion Bot Manager Lite.


Configuring actions:

Azion Bot Manager Lite can execute a set of different actions whenever the request’s score equals or exceeds the defined threshold.


Viewing logs

You can use Data Stream and Real-Time Events to get the Bot Manager Lite logs and monitor the bot activity in your applications.

Using Data Stream

To create a new stream for Bot Manager Lite activity:

  1. Access Azion Console > Data Stream.
  2. Click the + Stream button.
  3. Give your stream a unique and easy-to-remember name.
  4. In the Data Settings section, select Functions as Source.
  • You must be subscribed to Functions.
  1. In Template, select Functions Event Collector and it’ll show the variables to be used in your logs’ analysis in the Data Set code box.
  2. On Workloads, select between Filter Domains or All Current and Future Domains.
  3. Under Destination, select a Connector on the dropdown menu.
  • You’ll see different fields depending on the endpoint type you choose. Find more information on each of them on the Setting an endpoint page.
  1. Click the Save button.

Now, you can check the logs in the selected endpoint.

Using Real-Time Events

To access Real-Time Events, proceed as follows:

  1. Access Azion Console > Real-Time Events.
  2. Select the Functions tab.
  3. Define the Time Filter, according to the period you want to analyze.
  4. Use the Search bar to create a more specific search.

Reading log fields

Each log entry generated by Bot Manager Lite contains key fields that reveal how a request was evaluated. Understanding these fields lets you identify patterns, validate your threshold, and decide whether to adjust rules.

The log output follows this structure:

{
"score": 8,
"action": "allow",
"log_tag": "my_custom_tag",
"matched_rules": [1, 4, 7],
"request_id": "abc123xyz",
"http_user_agent": "curl/7.68.0",
"remote_addr": "203.0.113.42"
}
FieldDescription
scoreThe cumulative score assigned to the request. Each matched rule adds to this value. If the score reaches or exceeds your threshold, the configured action is triggered.
actionThe action taken for this request: allow, deny, drop, redirect, custom_html, random_delay, or hold_connection.
log_tagThe identifier you set in the log_tag argument. Use this to filter logs when running multiple Bot Manager Lite instances across different firewall rules.
matched_rulesAn array of rule IDs that were triggered by this request. Use these IDs to identify which behaviors are incrementing the score — and to disable specific rules if they generate false positives.
request_idA unique identifier for the request, useful for correlating logs across different Azion observability tools.
http_user_agentThe user-agent string sent in the request. Useful for identifying scripted clients or known bot signatures.
remote_addrThe IP address of the client. Cross-reference with your network lists to validate reputation-based scoring.

Tuning Bot Manager Lite

After reviewing your logs, you can adjust the function arguments to reduce false positives, tighten detection, or adapt the integration to your application’s traffic profile.

To edit the configuration:

  1. On the upper-left corner, select Products menu > Firewall in the Secure section.
  2. Select the firewall related to Bot Manager Lite.
  3. Open the Functions Instances tab.
  4. Select the function instance to edit.
  5. Edit the variables in the Arguments code box.
  6. Click the Save button.

Adjusting the threshold

The threshold defines the score at which Bot Manager Lite triggers the configured action. A lower value increases sensitivity; a higher value reduces false positives.

Start with observation mode ("action": "allow" and "internal_logs": "2") to collect baseline data before enforcing a blocking action:

{
"threshold": 10,
"action": "allow",
"internal_logs": "2",
"log_tag": "observation_phase"
}

Once you’ve reviewed the score distribution in your logs, lower the threshold to match the score range where malicious traffic concentrates — without catching legitimate users.

Disabling rules that generate false positives

If specific rule IDs appear consistently in matched_rules for legitimate traffic, you can disable them using the disabled_rules argument:

{
"threshold": 10,
"action": "deny",
"disabled_rules": [4, 7],
"log_tag": "production"
}

Tracking multiple instances with log tags

If you run Bot Manager Lite on multiple firewall rules or domains, use distinct log_tag values to filter logs per instance in Real-Time Events or Data Stream:

{
"threshold": 10,
"action": "deny",
"log_tag": "checkout_flow"
}

Search for log_tag:checkout_flow in Real-Time Events to isolate activity for that specific rule.

Controlling log verbosity

Use internal_logs to control which requests are logged:

ValueBehavior
"0"Logs requests with a score greater than 0 (default).
"1"Logs requests with a score greater than 0, or classified as Good Bot.
"2"Logs all requests, regardless of score. Recommended for observation and tuning.
"3"Disables logging entirely.

Using Debug Rules to trace firewall rule execution

Debug Rules is a Firewall-level feature that logs which Rules Engine rules were executed for each request. When tuning Bot Manager Lite, it helps you confirm that the rule calling the function is actually firing — and in what order relative to other firewall rules.

To enable Debug Rules on your firewall:

  1. On the upper-left corner, select Products menu > Firewall in the Secure section.
  2. Select the firewall associated with Bot Manager Lite.
  3. On the Main Settings tab, enable the Debug Rules switch.
  4. Click the Save button.

Once enabled, executed rules are recorded in the $traceback field (Data Stream and Real-Time Events) or the stacktrace variable (GraphQL API). A typical entry looks like:

{
"stacktrace": "{\"edge_firewall\":[\"Bot Manager Lite Rule\",\"Set WAF\"]}"
}

This confirms that the Bot Manager Lite Rule ran before the WAF rule set for that request. If the rule name is absent from stacktrace, the criteria in your Rules Engine rule didn’t match — review the criteria configuration in the Rules Engine tab.

Go to the Manage Bots Guide