Merge pull request #217563 from vhorne/waf-ag-bot-pro

add bot protection rule set to AG

Author: v-regandowner

articles/web-application-firewall/ag/ag-overview.md

@@ -5,7 +5,7 @@ description: This article provides an overview of Web Application Firewall (WAF)
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
-ms.date: 05/06/2022
+ms.date: 11/08/2022
 ms.author: victorh
 ms.topic: conceptual
 ---
@@ -101,11 +101,35 @@ The geomatch operator is now available for custom rules. See [geomatch custom ru
 
 For more information on custom rules, see [Custom Rules for Application Gateway.](custom-waf-rules-overview.md)
 
-### Bot mitigation
+### Bot protection rule set
 
-A managed Bot protection rule set can be enabled for your WAF to block or log requests from known malicious IP addresses, alongside the managed ruleset. The IP addresses are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Microsoft Defender for Cloud.
+You can enable a managed bot protection rule set to take custom actions on requests from all bot   categories.
+
+Three bot categories are supported:
+
+- **Bad**
+
+   Bad bots include bots from malicious IP addresses and bots that have falsified their identities. Bad bots with malicious IPs are sourced from the Microsoft Threat Intelligence feed’s high confidence IP Indicators of Compromise.
+- **Good**
+
+   Good bots include validated search engines such as Googlebot, bingbot, and other trusted user agents.
+
+- **Unknown**
+
+   Unknown bots are classified via published user agents without additional validation. For example, market analyzer, feed fetchers, and data collection agents. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feed’s medium confidence IP Indicators of Compromise.
+
+Bot signatures are managed and dynamically updated by the WAF platform.
+
+:::image type="content" source="../media/ag-overview/bot-rule-set.png" alt-text="Screenshot of bot rule set.":::
+
+You may assign Microsoft_BotManagerRuleSet_1.0 by using the **Assign** option under **Managed Rulesets**:
+
+:::image type="content" source="../media/ag-overview/assign-managed-rule-sets.png" alt-text="Screenshot of Assign managed rule sets.":::
+
+If Bot protection is enabled, incoming requests that match bot rules are blocked, allowed, or logged based on the configured action. Malicious bots are blocked, verified search engine crawlers are allowed, unknown search engine crawlers are blocked, and unknown bots are logged by default. You can set custom actions to block, allow, or log  for different types of bots.
+
+You can access WAF logs from a storage account, event hub, log analytics, or send logs to a partner solution.
 
-If Bot Protection is enabled, incoming requests that match Malicious Bot's client IPs are logged in the Firewall log, see more information below. You may access WAF logs from storage account, event hub, or log analytics. 
 
 ### WAF modes
 

articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md

@@ -5,7 +5,7 @@ description: This page provides information on web application firewall CRS rule
 services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
-ms.date: 06/21/2022
+ms.date: 11/08/2022
 ms.author: victorh
 ms.topic: conceptual
 ---
@@ -145,6 +145,16 @@ CRS 2.2.9 includes 10 rule groups, as shown in the following table. Each group c
 |**[crs_42_tight_security](#crs42)**|Protect against path-traversal attacks|
 |**[crs_45_trojans](#crs45)**|Protect against backdoor trojans|
 
+### Bot rules
+
+You can enable a managed bot protection rule set to take custom actions on requests from all bot   categories.
+
+|Rule group|Description|
+|---|---|
+|**[BadBots](#bot100)**|Protect against bad bots|
+|**[GoodBots](#bot200)**|Identify good bots|
+|**[UnknownBots](#bot300)**|Identify unknown bots|
+
 The following rule groups and rules are available when using Web Application Firewall on Application Gateway.
 
 # [OWASP 3.2](#tab/owasp32)
@@ -1114,6 +1124,33 @@ The following rule groups and rules are available when using Web Application Fir
 |950921|Backdoor access|
 |950922|Backdoor access|
 
+# [Bot rules](#tab/bot)
+
+## <a name="bot"></a> Bot Manager rule sets
+
+### <a name="bot100"></a> Bad bots
+|RuleId|Description|
+|---|---|
+|Bot100100|Malicious bots detected by threat intelligence|
+|Bot100200|Malicious bots that have falsified their identity|
+
+### <a name="bot200"></a> Good bots
+|RuleId|Description|
+|---|---|
+|Bot200100|Search engine crawlers|
+|Bot200200|Unverified search engine crawlers|
+
+### <a name="bot300"></a> Unknown bots
+|RuleId|Description|
+|---|---|
+|Bot300100|Unspecified identity|
+|Bot300200|Tools and frameworks for web crawling and attacks|
+|Bot300300|General purpose HTTP clients and SDKs|
+|Bot300400|Service agents|
+|Bot300500|Site health monitoring services|
+|Bot300600|Unknown bots detected by threat intelligence<br />(This rule also includes IP addresses matched to the Tor network.)|
+|Bot300700|Other bots|
+
 ---
 
 ## Next steps