Merge pull request #285509 from vhorne/waf-bm1.1

Updates for bot manager 1.1

Author: Stacyrch140

articles/web-application-firewall/ag/ag-overview.md

@@ -111,18 +111,22 @@ Three bot categories are supported:
 
 - **Bad**
 
-   Bad bots include bots from malicious IP addresses and bots that falsify their identities. Bad bots with malicious IPs are sourced from the Microsoft Threat Intelligence feed’s high confidence IP Indicators of Compromise.
+  Bad bots are bots with malicious IP addresses and bots that have falsified their identities. Bad bots includes malicious IP addresses that are sourced from the Microsoft Threat Intelligence feed’s high confidence IP Indicators of Compromise and IP reputation feeds. Bad bots also include bots that identify themselves as good bots but their IP addresses don’t belong to legitimate bot publishers.
 - **Good**
 
-   Good bots include validated search engines such as Googlebot, bingbot, and other trusted user agents.
+   Good Bots are trusted user agents. Good bot rules are categorized into multiple categories to provide granular control over WAF policy configuration. These categories include:
+   - verified search engine bots (such as Googlebot and Bingbot)
+   - validated link checker bots
+   - verified social media bots (such as Facebookbot and LinkedInBot)
+   - verified advertising bots
+   - verified content checker bots
+   - validated miscellaneous bots
 
 - **Unknown**
 
-   Unknown bots are classified via published user agents without more validation. For example, market analyzer, feed fetchers, and data collection agents. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feed’s medium confidence IP Indicators of Compromise.
+   Unknown bots are user agents without additional validation. Unknown bots also include malicious IP addresses that are sourced from Microsoft Threat Intelligence feed’s medium confidence IP Indicators of Compromise.
 
-The WAF platform actively manages and dynamically updates bot signatures.
-
-:::image type="content" source="../media/ag-overview/bot-rule-set.png" alt-text="Screenshot of bot rule set.":::
+The WAF platform actively manages and dynamically updates the bot signatures.
 
 You can assign Microsoft_BotManagerRuleSet_1.0 by using the **Assign** option under **Managed Rulesets**:
 
@@ -132,6 +136,7 @@ When Bot protection is enabled, it blocks, allows, or logs incoming requests tha
 
 You can access WAF logs from a storage account, event hub, log analytics, or send logs to a partner solution.
 
+For more information about Application Gateway bot protection, see [Azure Web Application Firewall on Azure Application Gateway bot protection overview](bot-protection-overview.md).
 
 ### WAF modes
 

articles/web-application-firewall/ag/application-gateway-crs-rulegroups-rules.md

@@ -224,15 +224,25 @@ CRS 2.2.9 includes 10 rule groups, as shown in the following table. Each group c
 |**[crs_42_tight_security](#crs42)**|Protect against path-traversal attacks|
 |**[crs_45_trojans](#crs45)**|Protect against backdoor trojans|
 
-### Bot rules
+### Bot Manager 1.0
 
-You can enable a managed bot protection rule set to take custom actions on requests from all bot categories.
+The Bot Manager 1.0 rule set provides protection against malicious bots and detection of good bots. The rules provide granular control over bots detected by WAF by categorizing bot traffic as Good, Bad, or Unknown bots. 
 
-|Rule group name|Description|
+|Rule group|Description|
 |---|---|
-|**[BadBots](#bot100)**|Protect against bad bots|
-|**[GoodBots](#bot200)**|Identify good bots|
-|**[UnknownBots](#bot300)**|Identify unknown bots|
+|[BadBots](#bot100)|Protect against bad bots|
+|[GoodBots](#bot200)|Identify good bots|
+|[UnknownBots](#bot300)|Identify unknown bots|
+
+### Bot Manager 1.1
+
+The Bot Manager 1.1 rule set is an enhancement to Bot Manager 1.0 rule set. It provides enhanced protection against malicious bots, and increases good bot detection.
+
+|Rule group|Description|
+|---|---|
+|[BadBots](#bot11-100)|Protect against bad bots|
+|[GoodBots](#bot11-200)|Identify good bots|
+|[UnknownBots](#bot11-300)|Identify unknown bots|
 
 The following rule groups and rules are available when using Web Application Firewall on Application Gateway.
 
@@ -1483,18 +1493,18 @@ The following rule groups and rules are available when using Web Application Fir
 |950921|Backdoor access|
 |950922|Backdoor access|
 
-# [Bot rules](#tab/bot)
+# [Bot Manager 1.0](#tab/bot)
 
-## <a name="bot"></a> Bot Manager rule sets
+## <a name="bot"></a> 1.0 rule sets
 
 ### <a name="bot100"></a> Bad bots
 |RuleId|Description|
 |---|---|
 |Bot100100|Malicious bots detected by threat intelligence|
 |Bot100200|Malicious bots that have falsified their identity|
-
- Bot100100 scans both client IP addresses and the IPs in the X-Forwarded-For header.
 
+ Bot100100 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
+
 ### <a name="bot200"></a> Good bots
 |RuleId|Description|
 |---|---|
@@ -1506,13 +1516,50 @@ The following rule groups and rules are available when using Web Application Fir
 |---|---|
 |Bot300100|Unspecified identity|
 |Bot300200|Tools and frameworks for web crawling and attacks|
-|Bot300300|General purpose HTTP clients and SDKs|
+|Bot300300|General-purpose HTTP clients and SDKs|
 |Bot300400|Service agents|
 |Bot300500|Site health monitoring services|
 |Bot300600|Unknown bots detected by threat intelligence|
 |Bot300700|Other bots|
 
-  Bot300600 scans both client IP addresses and the IPs in the X-Forwarded-For header.
+Bot300600 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
+
+# [Bot Manager 1.1](#tab/bot11)
+
+## <a name="bot11"></a> 1.1 rule sets
+
+### <a name="bot11-100"></a> Bad bots
+|RuleId|Description|
+|---|---|
+|Bot100100|Malicious bots detected by threat intelligence|
+|Bot100200|Malicious bots that have falsified their identity|
+|Bot100300|High risk bots detected by threat intelligence|
+ 
+ Bot100100 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
+
+### <a name="bot11-200"></a> Good bots
+|RuleId|Description|
+|---|---|
+|Bot200100|Search engine crawlers|
+|Bot200200|Verified miscellaneous bots|
+|Bot200300|Verified link checker bots|
+|Bot200400|Verified social media bots|
+|Bot200500|Verified content fetchers|
+|Bot200600|Verified feed fetchers|
+|Bot200700|Verified advertising bots|
+
+### <a name="bot11-300"></a> Unknown bots
+|RuleId|Description|
+|---|---|
+|Bot300100|Unspecified identity|
+|Bot300200|Tools and frameworks for web crawling and attacks|
+|Bot300300|General-purpose HTTP clients and SDKs|
+|Bot300400|Service agents|
+|Bot300500|Site health monitoring services|
+|Bot300600|Unknown bots detected by threat intelligence. This rule also includes IP addresses matched to the Tor network.|
+|Bot300700|Other bots|
+
+Bot300600 scans both client IP addresses and IPs in the `X-Forwarded-For` header.
 
 ---
 

articles/web-application-firewall/ag/bot-protection-overview.md

@@ -18,7 +18,7 @@ You can enable a managed bot protection rule set for your WAF to block or log re
 
 ## Use with OWASP rulesets
 
-You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time. The bot protection ruleset contains another rule that appears in its own ruleset. It's titled **Microsoft_BotManagerRuleSet_1.0**, and you can  enable or disable it like the other OWASP rules.
+You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time. The bot protection ruleset contains another rule that appears in its own ruleset. It's titled **Microsoft_BotManagerRuleSet_1.1**, and you can  enable or disable it like the other OWASP rules.
 
 :::image type="content" source="../media/bot-protection-overview/bot-ruleset.png" alt-text="Screenshot show bot protection ruleset." lightbox="../media/bot-protection-overview/bot-ruleset.png":::