The Bot Dashboard is a feature that extracts requests that match a specific use case within a given time period and identifies common characteristics from those requests. It is useful when a large number of requests are occurring and you want to extract shared values to use as conditions for blocking requests.

When used together with the AWS WAF Bot Control rule group, which is provided as an AWS managed rule, you can view information related to requests originating from bots.

To use this feature, a paid subscription to the Log Intelligence option is required.

Notes and Additional Information

This feature is available only when the Log Intelligence option has been added to your WafCharm account.
This feature is available only for WAF Configs using the Advanced Rule policy.
This feature is not available for WAF Configs using the Legacy Rule policy.
WAF log integration (new method) must be enabled in order to use this feature.
If you are not using the AWS WAF Bot Control rule group, bot-related items will not be displayed. In addition, the “Investigate bot-related requests” use case will not show any data.
If ASN or JA4 Fingerprint information is not present in the WAF logs, those items will not appear in the results.
If the [Change Options] button is not displayed, please contact your sales representative.

How to Configure

First, make sure that the Log Intelligence option is enabled. On the account page, if the Log Intelligence option shows [Subscribed], it indicates that the option is active. If it shows [Not Subscribed], it has not been enabled yet. In that case, please update your option settings from the account page.

Next, enable WAF log integration from the [Log and Notification Configuration] settings of the WAF Config. For details, see How to configure WAF log integration (new method) for AWS WAF v2 Advanced.

How to Use

To use the Bot Dashboard, click [Bot Dashboard] under [Analytics] in the left menu.

Screen Overview

In the [Log Extraction View], specify the target WAF Config, the use case for the WAF logs you want to extract, and the extraction period. Data that matches the specified conditions will appear under [Extraction Results]. Selecting an individual value from [Extraction Results] opens the [Detailed Analysis View].

About the Log Extraction View

The items displayed in the [Log Extraction View] are as follows.

Target WAF Config: Select the WAF Config to use. Only WAF Configs using the Advanced Rule policy and with WAF log integration enabled will be displayed.
Use Case: Select the condition for the WAF logs you want to extract. If no matching WAF logs exist, no data will be shown.
- Investigate high-volume request sources: Targets all requests that match the other specified conditions, such as the selected WAF Config and time period.
- Investigate bot-related requests: Targets requests that contain bot-related labels assigned by the AWS WAF Bot Control rule group and that match the other specified conditions, such as the selected WAF Config and time period.
- Investigate malicious-tagged requests: Targets requests that match WafCharm’s regular expression rules as well as the other specified conditions, such as the selected WAF Config and time period.
Extraction Period: Select the time range for the WAF logs to extract. You can choose from 1 hour, 24 hours, 7 days, 30 days, or any number of days from 1 to 60.
End Date & Time: Select the end date and time. Extraction is performed by going backward from the specified time for the duration selected in the Extraction Period. Clicking [Set to Current Date & Time] automatically inserts the current date and time.
Example: If you set the End Date & Time to November 1 at 10:00 and select an Extraction Period of 1 hour, the extracted WAF logs will be from 9:00 to 10:00 on November 1.

About the Extraction Results

The items shown in the [Extraction Results] are as follows.

Timeline: A timeline that plots the number of requests based on the WAF logs matching the extraction conditions. The X-axis represents the number of requests, and the Y-axis represents time intervals determined by the Extraction Period. The interval changes depending on the Extraction Period:
- 1 hour: every 5 minutes
- 24 hours / 1 day: every 1 hour
- Any period other than 1 day (7 days, 30 days, or 2–60 days): every 1 day
Aggregated Items
- Bot Identification Label: Top 10 ranking aggregated by the values of bot identification labels added by the AWS WAF Bot Control rule group, if present in the WAF logs.
- Bot Signal Label: Top 10 ranking aggregated by the values of bot signal labels added by the AWS WAF Bot Control rule group, if present.
- ASNs: Top 10 ranking aggregated by ASN, if ASN information is present in the WAF logs.
- Country Codes: Top 10 ranking aggregated by the country determined by AWS WAF (the country value in the WAF logs).
- JA4 Fingerprint: Top 10 ranking aggregated by JA4 fingerprint, if the JA4 fingerprint is present in the WAF logs.

Clicking any of the aggregated items (Bot Identification Label, Bot Signal Label, ASNs, Country Codes, or JA4 Fingerprints) updates the Timeline to reflect the data for the selected aggregate.

Additionally, clicking any aggregated value opens a list of the WAF logs matching that value in the right-hand panel, displayed as the [Detailed Analysis View].

If no applicable values exist for an aggregated item, [N/A] is shown. Items labeled [N/A] cannot be clicked.

About the Detailed Analysis View

The items shown in the [Detailed Analysis View] are as follows.

Search Conditions: Displays the conditions specified when running the extraction.
- Target WAF Config: Displays the name of the selected WAF Config.
- Extraction Period: Displays the extraction period based on the Extraction Period and End Date & Time selected.
- Selected Aggregated Item from the Extraction Results: Displays the value selected from one of the aggregated items (Bot Identification Label, Bot Signal Label, ASN, Country Code, or JA4 Fingerprint).
WAF Action: Shows the aggregated count of terminating actions based on the WAF logs that match the search conditions above.
Logs: Displays a list of WAF logs that match the search conditions above. Clicking a row opens the details for that WAF log. The WAF log details screen is the same as the one used in the WAF Log Search feature. For more information about the WAF log details screen, see Features available by enabling WAF log integration – About the Log List results.

About the [Copy Customization Inquiry Template] Button

If you would like to request a customization based on the extracted conditions, you can use the provided inquiry template, which includes the extraction conditions and other relevant information. After copying the template, paste it into the message field of the inquiry form, fill in the necessary details, and submit it.
For more information about customization, see About rule customization (AWS WAF v2).

For example, if the detection condition is set to Country Code = "US," the following template will be copied to your clipboard.

The name of the target WAF Config and the detection condition (in this example, the country "US") are pre-filled. Please complete the remaining fields before submitting your inquiry.

- Target WAF Config: "{selected WAF Config name}"
- Detection Condition: Country Codes = "US"
- [Optional] Additional Conditions: (e.g., URI, headers, etc.; multiple values allowed)
- Rule Action: (Choose one: Count, Block, CAPTCHA, Challenge, or Allow)

For rate-based rules, please also provide the following:
- Rate Limit: (Valid range: 10 to 2,000,000,000)
- Evaluation Window: (Valid values: 1, 2, 5, or 10 minutes)
- Request Aggregation: (e.g., Source IP, IP address in header, etc.)

If you want to block requests where the country is “US” and the URI begins with “/example,” adjust the template as shown below. Since this is not a rate-based rule, the section beginning with “For rate-based rules, please also provide the following:” has been removed.

- Target WAF Config: "{selected WAF Config name}"
- Detection Condition: Country Codes = "US"
[Optional] Additional Conditions: URI begins with "/example"
- Rule Action: Block

If you want to enforce the restriction using a rate-based rule, please fill out the template as shown below. In this case, the filtering (scope-down) conditions remain “country is ‘US’ and URI begins with ‘/example’,” but the template will also include rate-based rule–specific settings such as the threshold and the aggregation key.

- Target WAF Config: "{selected WAF Config name}"
- Detection Condition: Country Codes = "US"
[Optional] Additional Conditions: URI begins with "/example"
- Rule Action: Block

For rate-based rules, please also provide the following:
- Rate Limit: 100
- Evaluation Window: 5 minutes
- Request Aggregation: Source IP

If multiple WAF Configs are involved, please list all applicable WAF Config names next to “Target WAF Config.”

Because this is only a template, feel free to include any additional conditions you would like to combine. Please provide as much detail as possible about what you want to achieve when submitting your inquiry. It is not necessary to follow the template format exactly.

Notes About the [Copy Customization Inquiry Template] Button

This button copies a template that you can use when submitting a customization inquiry. Clicking the button does not apply any customization.
Please note that we may ask you to reconfirm the information you provide in the template to avoid any misunderstandings.
Clicking this button does not send an inquiry. Please submit your inquiry separately through the inquiry form.

About Bot Dashboard