AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part II


This is an extension of the already published article AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I an introductory article which highlights the configurations available for detecting and mitigating malicious user activity and includes a demonstration focused on detecting and mitigating malicious clients based on WAF security events. 

In part II of this series of articles, we will demonstrate a few more scenarios covering insights of malicious user detection and mitigation feature of F5 Distributed Cloud platform. 


Demonstration (Using Multi Load Balancer ML Configuration)

In this demonstration, we will set the threshold limit for failed login attempts in the app settings configuration to mark any subsequent requests as a malicious user event and apply mitigation rules to restrict access, as well as we will detect the clients based on various user identifier types provided by the F5 Distributed cloud console. 


Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. 


Add malicious user mitigation rule to the LB  

  • In ‘Common Security Controls’, enable ‘Malicious User Mitigation And Challenges’, set 'Malicious User Mitigation Settings' as ‘Custom’, if the rule is already created select and apply the custom mitigation rule, Save & Exit or click on 'Add Item', add a name, set the rules (threat level and associated actions) accordingly, click continue, apply, Save & Exit. (Note: You can also configure the 'Default' malicious user mitigation settings, which has already defined mitigation rules and is a recommended setting).


Go to Home->WAAP->Manage->AI&ML->App Settings, click ‘Add App Setting’. 


Enter a name and click on 'Add Item' to go to the ‘AppType’ settings section. Click ‘Add item’. 


Click on the ‘Select Item’ drop-down and select the app type configured in the LB while executing Step1. 


Click ‘Configure’ ‘Malicious User Detection’, tune the settings as per your need. For the demonstration purpose we are setting the threshold value for Failed Login Activity to 5. 


Apply and add the configurations and then click ‘Save and Exit’ to create the app settings object. 

Note: Identifying users uniquely on the Internet is a critical task because it aids in the creation of a perception by learning from the activities they perform on the application. 


Go to Home->WAAP->Manage->Shared Objects->User Identifications, click ‘Add User Identification’ 

  • Add a name, click ‘Configure’ on ‘User Identification Rules’, click ‘Add Item’ 

  • Set and apply the user identifier type and add the created user identification policy to the LB. 


Generate requests more than the configured threshold limit for failed login attempts in your application; it should return response code as 401. 

Available User Identifier Types 

By default, the user identifier type is set to ‘Client IP Address’. As in the previous article, we have already seen IP address as a client identifier. In this demo, we will set other options available, follow the steps mentioned above to generate failed login events and verify that the users are getting detected based on the configured user identification policy.  

Below are the screenshots for configured user identification rules and UI dashboards displaying the results of associated configurations:

  • Query Parameter Key 

  • HTTP Header Name 

  • Cookie Name 

  • Client Autonomous System 

  • TLS Fingerprint 

  • Client IP and HTTP Header Name 

  • Client IP and TLS Fingerprint 



In this article, we demonstrated how simple it is to configure your LB to respond to multiple unauthorised access attempts by detecting them using various client identification type options and mitigating them automatically at the same time with a very low risk of false positives.


For further information or to get started

  • F5 Distributed Cloud Platform (Link 
  • F5 Distributed Cloud WAAP Services (Link) 
Updated May 22, 2023
Version 3.0

Was this article helpful?

No CommentsBe the first to comment