Why should you care about architectural differentiators?
When discussing what makes a product different, what makes it unique, we are led down the path of feature comparison. It is a natural thing to…
Whether you are just starting your observability journey or already are an expert, our courses will help advance your knowledge and practical skills.
Expert insight, best practices and information on everything related to Observability issues, trends and solutions.
Explore our guides on a broad range of observability related topics.
Bad bots, hackers, and other malicious agents can be tracked by a huge volume of metrics – session activity, HTTP headers, response times, request volume & cadence, and more. This complexity has created a market for siloed, complex, and extremely expensive tools. In contrast, Coralogix can consume simplistic data, like CDN logs, and derive complex, dynamically changing scores. When coupled with built-in cost optimization and the wider platform features, this makes a very compelling case.
While the individual factors will be unique to a company, there are some very common assessments that almost all companies can utilize, for example:
While these checks are ubiquitous, the issue for companies is simple: very few solutions exist that will correlate activity in the browser, with Firewall and CDN activity, to create a complete picture of a user session.
Observability, when coupled with the right architecture and feature set, is a powerful solution to common security challenges. Let’s explore how Bot Scoring works in Coralogix.
Coralogix assesses user behavior from multiple dimensions by correlating data sources that would otherwise be completely disconnected:
First, integrating all of this data was a simple matter of clicking through Coralogix’s guided integrations. This three-click process deployed CloudFormation stacks into an AWS account, and data immediately began to flow.
Once the data was ingested into Coralogix, it was time to optimize observability costs, by defining Coralogix TCO Optimizer rules. These rules are extremely important for this kind of data. CDN and RUM data is very noisy, potentially spiking costs without driving equivalent return on investment. Using the TCO Optimizer, Coralogix customers can define use cases and declare how valuable every log is.
Here, we were able to allocate a huge volume of our data (all RUM & CDN logs) to the monitoring level, which uses 70% less quota, effectively allowing users to ingest triple the volume for the same cost.
From here, we then enriched our data, using some key information:
This meant our logs now contained some extremely important information. User location and IP reputation are two vital measurements for bad actor detection.
Then, we began generating our metrics. Coralogix supports Events2Metrics, meaning logs that would typically be expensive to hold in high performance, indexed storage for a long time, are converted into metrics, which can be held for a long time (by default, one year) and queried quickly, without the associated costs. Here are just a few of the metrics we generated:
This data comes from many different sources, but thanks to the power of Coralogix, it can all be put together and crunched into something tangible. In this case, a “Bad Actor” score is between 0 and 100. 0 indicates that the user has done nothing nefarious, and 100 indicates that they are definitely up to no good.
We did this using Coralogix Recording Rules and some basic PromQL:
clamp_max(sum(
clamp_max(round(max(cx_cf_suspected_country_cx_docs_total) by (ip)), 1) * 20 or on() vector(0),
clamp_max(round(max(cx_cf_suspected_ip_cx_docs_total) by (ip)), 1) * 40 or on() vector(0)
…
) by (ip), 100) > 0
This can be a little confusing to read, but essentially, it can be broken down like this:
Visualizing this data is very easy, now that the metrics are in place:
Using these metrics, customers get an extremely detailed (and totally customizable view) of their security posture, and can analyze dangerous users well before they cause a problem.
The power of this is very clear. The PromQL will perform well, and generate metrics every minute, and this can be deployed in a single click from a Coralogix extension, but crucially, this is not a black box solution.
Coralogix customers can see, and change, any factors as they need. This, coupled with our 24/7 support with a median response time of 20 seconds, means that this scoring function gives you an amazing framework, without restricting visibility or flexibility, and you’re able to work closely with Coralogix to shape it into exactly what you need.
The key value statements for this solution are:
Want to hit the ground running with bad bot detection? Check out Coralogix’s quick start pack for bad bot detection with loads of out-of-the-box dashboards, alerts and more.
When discussing what makes a product different, what makes it unique, we are led down the path of feature comparison. It is a natural thing to…
As the official implementation date approaches for the Digital Operational Resilience Act (DORA) – financial institutions and their information and communication technology (ICT) service providers, across…
A Software Bill of Materials (SBOM) is essentially an inventory of the components used to build a software artifact, such as an application. While the concept…