Merge pull request #273987 from vhorne/waf-bot1.1

Start Bot Manager 1.1 updates

Author: v-dirichards

articles/web-application-firewall/afds/afds-overview.md

@@ -2,7 +2,7 @@
 title: What is Azure Web Application Firewall on Azure Front Door?
 description: Learn how Azure Web Application Firewall on Azure Front Door protects your web applications from malicious attacks.
 services: web-application-firewall
-author: vhorne
+author: sowmyam2019
 ms.service: web-application-firewall
 ms.topic: conceptual
 ms.date: 10/04/2023
@@ -104,19 +104,21 @@ For more information, see [Web Application Firewall Default Rule Set rule groups
 
 ### Bot protection rule set
 
-You can enable a managed bot protection rule set to take custom actions on requests from known bot categories.
+You can enable a managed bot protection rule set to take custom actions on requests from all bot categories.
 
-Three bot categories are supported:
+Three bot categories are supported: *Bad*, *Good*, and *Unknown*. Bot signatures are managed and dynamically updated by the WAF platform.
 
-- **Bad**: Bad bots include bots from malicious IP addresses and bots that have falsified their identities. Malicious IP addresses are sourced from the Microsoft Threat Intelligence feed and updated every hour. [Intelligent Security Graph](https://www.microsoft.com/security/operations/intelligence) powers Microsoft Threat Intelligence and is used by multiple services, including Microsoft Defender for Cloud.
-- **Good**: Good bots include validated search engines.
-- **Unknown**: Unknown bots include other bot groups that have identified themselves as bots. Examples include market analyzers, feed fetchers, and data collection agents. Unknown bots are classified via published user agents without any other validation.
+- **Bad**: Bad bots are bots with malicious IP addresses and bots that have falsified their identities. Bad bots includes malicious IP addresses that are sourced from the Microsoft Threat Intelligence feed’s high confidence IP Indicators of Compromise and IP reputation feeds. Bad bots also include bots that identify themselves as good bots but their IP addresses don’t belong to legitimate bot publishers.
+- **Good**: Good Bots are trusted user agents. Good bot rules are categorized into multiple categories to provide granular control over WAF policy configuration. These categories include verified search engine bots (such as Googlebot and Bingbot), validated link checker bots, verified social media bots (such as Facebookbot and LinkedInBot), verified advertising bots, verified content checker bots, and validated miscellaneous bots.
+- **Unknown**: Unknown bots are user agents without additional validation. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feed’s medium confidence IP Indicators of Compromise.
 
 The WAF platform manages and dynamically updates bot signatures. You can set custom actions to block, allow, log, or redirect for different types of bots.
 
 ![Screenshot that shows a bot protection rule set.](../media/afds-overview/botprotect2.png)
 
-If bot protection is enabled, incoming requests that match bot rules are logged. You can access WAF logs from a storage account, an event hub, or Log Analytics. For more information about how the WAF logs requests, see [Azure Web Application Firewall monitoring and logging](waf-front-door-monitor.md).
+If bot protection is enabled, incoming requests that match bot rules are blocked, allowed, or logged based on the configured action. Bad bots are blocked, good bots are allowed, and unknown bots are logged by default. You can set custom actions to block, allow, log, or JS challenge for different types of bots. You can access WAF logs from a storage account, event hub, log analytics, or send logs to a partner solution.
+
+The Bot Manager 1.1 rule set is available on Azure Front Door premium version.
 
 ## Configuration
 

articles/web-application-firewall/afds/waf-front-door-drs.md

@@ -2,7 +2,7 @@
 title: Azure Web Application Firewall DRS rule groups and rules
 description: This article provides information on Azure Web Application Firewall DRS rule groups and rules.
 ms.service: web-application-firewall
-author: vhorne
+author: sowmyam2019
 ms.author: victorh
 ms.topic: conceptual
 ms.date: 05/30/2024
@@ -173,14 +173,26 @@ DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con
 |[MS-ThreatIntel-WebShells](#drs9905-10)|MS-ThreatIntel-WebShells|Protect against Web shell attacks|
 |[MS-ThreatIntel-CVEs](#drs99001-10)|MS-ThreatIntel-CVEs|Protect against CVE attacks|
 
-### Bot rules
+### Bot Manager 1.0
+
+The Bot Manager 1.0 rule set provides protection against malicious bots and detection of good bots. The rules provide granular control over bots detected by WAF by categorizing bot traffic as Good, Bad, or Unknown bots. 
 
 |Rule group|Description|
 |---|---|
 |[BadBots](#bot100)|Protect against bad bots|
 |[GoodBots](#bot200)|Identify good bots|
 |[UnknownBots](#bot300)|Identify unknown bots|
 
+### Bot Manager 1.1
+
+The Bot Manager 1.1 rule set is an enhancement to Bot Manager 1.0 rule set. It provides enhanced protection against malicious bots, and increases good bot detection.
+
+|Rule group|Description|
+|---|---|
+|[BadBots](#bot11-100)|Protect against bad bots|
+|[GoodBots](#bot11-200)|Identify good bots|
+|[UnknownBots](#bot11-300)|Identify unknown bots|
+
 The following rule groups and rules are available when you use Azure Web Application Firewall on Azure Front Door.
 
 # [DRS 2.1](#tab/drs21)
@@ -1050,9 +1062,9 @@ The following rule groups and rules are available when you use Azure Web Applica
 |99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)|
 |99001017|Attempted Apache Struts file upload exploitation [CVE-2023-50164](https://www.cve.org/CVERecord?id=CVE-2023-50164)|
 
-# [Bot rules](#tab/bot)
+# [Bot Manager 1.0](#tab/bot)
 
-## <a name="bot"></a> Bot manager rule sets
+## <a name="bot"></a> 1.0 rule sets
 
 ### <a name="bot100"></a> Bad bots
 |RuleId|Description|
@@ -1081,6 +1093,43 @@ The following rule groups and rules are available when you use Azure Web Applica
 
 Bot300600 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
 
+# [Bot Manager 1.1](#tab/bot11)
+
+## <a name="bot11"></a> 1.1 rule sets
+
+### <a name="bot11-100"></a> Bad bots
+|RuleId|Description|
+|---|---|
+|Bot100100|Malicious bots detected by threat intelligence|
+|Bot100200|Malicious bots that have falsified their identity|
+|Bot100300|High risk bots detected by threat intelligence|
+ 
+ Bot100100 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
+
+### <a name="bot11-200"></a> Good bots
+|RuleId|Description|
+|---|---|
+|Bot200100|Search engine crawlers|
+|Bot200200|Verified miscellaneous bots|
+|Bot200300|Verified link checker bots|
+|Bot200400|Verified social media bots|
+|Bot200500|Verified content fetchers|
+|Bot200600|Verified feed fetchers|
+|Bot200700|Verified advertising bots|
+
+### <a name="bot11-300"></a> Unknown bots
+|RuleId|Description|
+|---|---|
+|Bot300100|Unspecified identity|
+|Bot300200|Tools and frameworks for web crawling and attacks|
+|Bot300300|General-purpose HTTP clients and SDKs|
+|Bot300400|Service agents|
+|Bot300500|Site health monitoring services|
+|Bot300600|Unknown bots detected by threat intelligence. This rule also includes IP addresses matched to the Tor network.|
+|Bot300700|Other bots|
+
+Bot300600 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
+
 ---
 
 ## Next steps

articles/web-application-firewall/afds/waf-front-door-policy-configure-bot-protection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure bot protection for Web Application Firewall with Azure Front Door
 description: Learn how to configure bot protection rule in Azure Web Application Firewall (WAF) for Front Door by using Azure portal.
-author: vhorne
+author: sowmyam2019
 ms.service: web-application-firewall
 ms.custom: devx-track-bicep
 ms.topic: article