AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part III


We have already discussed the advantages that the F5 Distributed cloud’s ‘AI/ML solution for malicious users’ brings to the table as well as how simple it is to configure and monitor those events using an interactive UI dashboard of F5 Distributed Cloud Console. 

Below are the links for parts 1 and 2 of this article: 

AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part I 

AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP – Part II 

In this article, we will go over a few more test scenarios covering the detection and mitigation of malicious user events. 


Demonstration (using Multi Load Balancer ML config)

Scenario 1: 

In this scenario, we will monitor and mitigate detected malicious users for forbidden access attempts. 


Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document.


Configure a policy that prevents users from accessing a specific path. 

  • From the Console homepage, click Web App & API Protection. 
  • Click Manage -> Service Policies -> Service Policies. 
  • Click 'Add service policy,' give it a name, and set the rules as needed. Here, we are prohibiting access to the path '/delete,' as illustrated in the screenshot below. As a result, users will be unable to access the endpoint "https://<domain>/delete". 

  • Go to Home -> Web App & API Protection -> Manage -> Load Balancers -> HTTP Load Balancers, and add the created service policy to the LB 


Configure app setting object to detect malicious user activity based on forbidden access requests 

  • Go to Home->WAAP->Manage->AI&ML->App Settings, click ‘Add App Setting’. 
  • Enter a name and go to ‘AppType’ Settings section. Click ‘Add item’. 
  • Click on the ‘App Type’ drop-down and select the app type configured in the LB while executing Step1. 
  • Click ‘Configure’ in ‘Malicious User Detection’, tune the settings as per your need. Here, we have set the threshold limit for forbidden access requests to 10, beyond which the system will flag the user as malicious. 

  • Apply and add the configurations and then click ‘Save and Exit’ to create the app settings object. 


Configure automatic mitigation for malicious users 

  • Go to your LB  and click ‘Edit Configuration’ 
  • Scroll down to ‘Common Security Controls’ section 
  • Enable 'Malicious User Mitigation And Challenges'.
  • Set the ‘Malicious User Mitigation Settings’ as ‘Default’. click Save & Exit. 


Generate requests (more than the configured threshold value in Step3) to forbidden path (https://<domain>/delete). 

Note: Here generating requests indicates attempts of an attacker to bypass 403 forbidden error response. For example, trying different HTTP request methods, manipulating endpoint by appending sequences to it like {%2e}, {%2f}, {%5c} or by applying some other technique manually or through script. 


Go to Home->Web App & API Protection->Overview->Dashboards->Security Dashboard, select your LB and switch to Malicious Users tab, monitor the activity. 

Note: You can also use manual configuration for mitigation if automatic mitigation is not applied by simply clicking on ‘Block User’ on the top right side and adding detected malicious user's IP address to the deny list.  

Scenario 2: 

In this scenario, we will set the configuration to detect malicious users based on requests from potentially High-Risk IPs and block them by configuring default automatic mitigation action. 


Enable malicious user detection using Multi Load Balancer ML config as mentioned in the document. 


In app settings object configuration, make sure 'IP Reputation' is enabled (follow points in Step3 from Scenario1). Apply, Save & Exit. 


Follow Step4 in Scenario 1 to enable default automatic malicious user mitigation action .


Generate 20+ requests in a minute from Tor browser.  At the end follow Step6 from Scenario1 to monitor the malicious user activity

Note: Tor is a free and open-source software developed to hide its user’s identity and activities over the Internet and make them anonymous. 



This brings us to the end of this article series. We have seen how F5 Distributed Cloud WAAP’s security solution for malicious users aids in the identification and mitigation of suspicious activities. Alert fatigue, long investigation times, missed attacks, and false positives are all common issues for security teams. However, by utilizing AI/ML-based malicious user detection, security teams can effectively filter out noise and identify actual risks and threats without the need for manual intervention. 

Suspicious actions such as Forbidden access attempts, login failures, and so on create a timeline of events that suggests the possibility of malicious user activity. Users who exhibit such behavior can be blocked manually or automatically based on their threat levels, and exceptions can be made using allow lists. 

Updated May 22, 2023
Version 3.0

Was this article helpful?

No CommentsBe the first to comment