L7 Access Logs
This section provides detailed field descriptions for Layer 7 access logs (including Site Acceleration logs, Rate Limiting and CC Attack Protection logs, Custom Rule logs, and Bot Management logs).
Note:
Beta notice: Real-time site-acceleration logs that include the full set of L7 request logs (including L7 protection block logs) are currently in beta. If you need this feature, please contact us.
Rate Limiting and CC Attack Protection logs, Custom Rule logs, and Bot Management logs will be deprecated. We recommend that you use Site Acceleration logs to obtain full L7 protection logs.
Field Description
General Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
ContentID | String | A content identifier associated with the request, used to identify specific traffic and content subsets on the EO platform for billing, reporting, and monitoring. If the request is associated with a content identifier, the value is eocontentid; otherwise, it is zoneid. | ✓ | ✓ |
EdgeEndTime | Timestamp ISO8601 | The time when the response to the client request is completed. Example: 2024-10-14T05:13:43Z, which represents 05:13:43 on October 14, 2024, in the UTC+0 time zone, equivalent to 13:13:43 on October 14, 2024, in the UTC+8 time zone (Beijing time). | ✕ | ✓ |
EdgeFunctionSubrequest | Integer | Indicating whether this log entry belongs to a subrequest initiated by an edge function. Possible values are: 1: Subrequests initiated by Edge Functions.0: Subrequests not initiated by Edge Functions. | ✓ | ✓ |
LogTime | Timestamp ISO8601 | The time when the log is generated. Example: 2024-10-14T05:13:43Z. | ✕ | ✓ |
ParentRequestID | String | Records the RequestID of the parent request when this request is initiated by an edge function; otherwise, records "-". | ✓ | ✓ |
RequestID | String | The unique identifier ID of the client request. | ✓ | ✓ |
Client Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
ClientASN | String | ✕ | ✓ | |
ClientASNDescription | String | The name of the carrier/organization to which the client IP address belongs, corresponding to the value of the ClientASN field. | ✕ | ✓ |
ClientConnectionID | String | The unique identifier for the connection between the client and the edge node. Example value: 5692760165714882237. | ✕ | ✓ |
ClientDeviceType | String | The type of the client request device. Valid values are: TV: TelevisionTablet: Tablet computerMobile: Mobile phoneDesktop: Desktop computerOther: Other | ✕ | ✓ |
ClientIP | String | The client IP address that establishes a connection with the EdgeOne node. | ✓ | ✓ |
ClientISP | String | The carrier information parsed from the client IP address. This field is deprecated. It is recommended to use ClientASN and ClientASNDescription as alternatives.Data from the Chinese mainland is recorded as the Chinese name of the ISP. Data from global area (excluding the Chinese mainland) is recorded as the Autonomous System Number (ASN). | ✓ | ✓ |
ClientPort | Integer | The client port used to establish a connection with the EdgeOne node. | ✕ | ✓ |
ClientRegion | String | ✓ | ✓ | |
ClientState | String | The administrative division at the sub-national level parsed from the client IP address. Currently, only data within the Chinese mainland is supported. Format standard: ISO-3166-2. | ✓ | ✓ |
Request Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
RemotePort | Integer | The port on the EdgeOne node used to establish a connection with the client under the TCP protocol. | ✓ | ✓ |
RequestBodyBytes | Integer | The size of the request body sent from the client to the EdgeOne node, in bytes. | ✕ | ✓ |
RequestBytes | Integer | The total traffic sent from the client to the EdgeOne node during the request process, calculated based on the request header size, request body size, and data sent from the client to the EdgeOne node during the SSL handshake. Unit: Byte. | ✓ | ✓ |
RequestHost | String | The Host specified in the client request. | ✓ | ✓ |
RequestMethod | String | The HTTP Method of the client request. Valid values are: GETPOSTHEADPUTDELETECONNECTOPTIONSTRACEPATCH | ✓ | ✓ |
RequestProtocol | String | The application-layer protocol used by the client request. Valid values are: HTTP/1.0HTTP/1.1HTTP/2.0HTTP/3WebSocket | ✓ | ✓ |
RequestRange | String | Client request Range. | ✓ | ✓ |
RequestReferer | String | Client request Referer. | ✓ | ✓ |
RequestScheme | String | The HTTP protocol used by the client request. Valid values are: HTTP, HTTPS. | ✕ | ✓ |
RequestSSLProtocol | String | The SSL (TLS) protocol used by the client. A value of "-" indicates that the request had no SSL handshake. Valid values are: TLS1.0TLS1.1TLS1.2TLS1.3 | ✕ | ✓ |
RequestStatus | String | The status of the client request. For requests using the WebSocket protocol, EdgeOne periodically prints logs, and you can use this field to determine the connection status. Valid values are: 0: Not ended.1: The request ended normally.2: Under the WebSocket protocol, it indicates the first log of the same connection.3: Under the WebSocket protocol, it indicates a log from the same connection that is neither the first nor the last. | ✓ | ✓ |
RequestTime | Timestamp ISO8601 | The time when the EdgeOne node receives the client request. Time zone: UTC +0. Example: 2024-10-14T05:13:43Z | ✓ | ✓ |
RequestUA | String | The User-Agent information in the client request. | ✓ | ✓ |
RequestUrl | String | The URL Path of the client request, excluding query parameters. | ✓ | ✓ |
RequestUrlQueryString | String | The query parameters carried by the URL in the client request. | ✓ | ✓ |
Response Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
EdgeCacheStatus | String | Whether the client request hits the node cache. Valid values are: hit: The request hits the EdgeOne node cache, and the resource is served from the node cache. A partial cache hit is also recorded as hit.miss: The request misses the EdgeOne node cache, and the resource is served from the origin.dynamic: The requested resource cannot be cached or is not configured to be cached by the node, and the resource is served from the origin.other: An unrecognizable cache state. Requests responded to by Edge Functions are recorded as other. | ✓ | ✓ |
EdgeInternalTime | Integer | The time elapsed from when EdgeOne receives a request from the client to when it sends the first byte of the response to the client, in milliseconds. | ✓ | ✓ |
EdgeResponseBodyBytes | Integer | The size of the response body returned from the node to the client, in bytes. | ✓ | ✓ |
EdgeResponseBytes | Integer | The total traffic returned from the node to the client, calculated based on the response header size, response body size, and data sent from the EdgeOne node to the client during the SSL handshake. Unit: Byte. | ✓ | ✓ |
EdgeResponseStatusCode | Integer | The status code returned from the node response to the client. | ✓ | ✓ |
EdgeResponseTime | Integer | The time elapsed from when EdgeOne receives a request from the client to when it sends the last byte of the response to the client, in milliseconds. | ✓ | ✓ |
Edge Server Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
EdgeException | String | Describes the issues encountered when the EO edge node processes a request. For the meaning of field values, see EdgeException Field Description. | ✕ | ✓ |
EdgeServerID | String | The unique identifier for the EdgeOne server accessed by the client. Example value: 28a1672eeaa86c145501d3950bff06cc-501d3fb0abce346ac9a5598b665bfcfe. | ✓ | ✓ |
EdgeServerIP | String | The EdgeOne server IP address obtained by resolving the Host via DNS. | ✓ | ✓ |
EdgeServerRegionTopDivision | String | The administrative division at the sub-national level parsed from the edge server access IP address. Currently, only data within the Chinese mainland is supported. Format standard: ISO-3166-2. | ✕ | ✓ |
EdgeSeverRegion | String | The country/region parsed from the edge server access IP address. For the format standard, refer to: ISO 3166-1 alpha-2. | ✕ | ✓ |
Origin Server Information
Note:
When the EdgeCacheStatus is
miss or dynamic: The origin server information field reflects the actual origin-pull request information.When the EdgeCacheStatus is
hit: The origin server information field may display the origin information from the node cache, which does not represent the actual origin-pull request scenario.Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
OriginDNSResponseDuration | Float | The time taken to receive the DNS resolution response from the origin server. If no value is obtained, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginDomain | String | The destination origin domain name or IP address in an origin-pull request. Recorded only when the origin address is configured as an IP address/domain name. | ✕ | ✓ |
OriginIP | String | The origin IP address accessed during origin fetching. If no value is obtained, it is recorded as "-". | ✕ | ✓ |
OriginRequestHeaderSendDuration | Float | The time taken to send the request header to the origin server. It is usually 0. If no value is obtained, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseHeaderDuration | Float | The time taken from sending the request header to receiving the response header from the origin server. If no value is obtained, it is recorded as -1. Unit: ms. | ✕ | ✓ |
OriginResponseStatusCode | Integer | The origin response status code. If no value is obtained, it is recorded as -1. | ✕ | ✓ |
OriginSSLProtocol | String | The SSL protocol version used for requesting the origin server. If no value is obtained, it is recorded as "-". Possible values are: TLS 1.0TLS 1.1TLS 1.2TLS 1.3 | ✕ | ✓ |
OriginTCPHandshakeDuration | Float | The time taken to complete the TCP handshake when the origin server is requested. If no value is obtained, it is recorded as -1. Unit: ms. Note: It is 0 when the connection is reused. | ✕ | ✓ |
OriginTLSHandshakeDuration | Float | The time taken to complete the TLS handshake when the origin server is requested. If no value is obtained or the origin-fetching protocol is HTTP, it is recorded as -1. Unit: ms. Note: It is 0 when the connection is reused. | ✕ | ✓ |
Security Protection Information
Field Name | Data Type | Description | Whether Supported in Offline Logs | Whether Supported in Real-Time Logs |
BotCharacteristic | String | The characteristics of the request identified by the EO Bot intelligent analysis engine. This field is only provided for domains that have enabled the Bot Management - Bot Intelligent Analysis feature. For the meaning of field values, see BotCharacteristic Field Description. | ✕ | ✓ |
BotClassAccountTakeOver | String | Risk level of the client IP address for malicious login cracking and account takeover attacks, based on recent IP intelligence data. Possible values are: high: High risk.medium: Medium risk.low: General risk.-: No historical data exists, or the Client Reputation feature is not enabled for the domain. | ✕ | ✓ |
BotClassAttacker | String | Risk level of the client IP address for attack behaviors (such as DDoS, high-frequency malicious requests, site attacks, and so on), based on recent IP address intelligence data. Possible values are: high: High risk.medium: Medium risk.low: General risk.-: No historical data exists, or the Client Reputation feature is not enabled for the domain. | ✕ | ✓ |
BotClassMaliciousBot | String | Risk level of the client IP address for malicious crawler, traffic flooding, and brute-force cracking behaviors, based on recent IP address intelligence data. Possible values are: high: High risk.medium: Medium risk.low: General risk.-: No historical data exists, or the Client Reputation feature is not enabled for the domain. | ✕ | ✓ |
BotClassProxy | String | Risk level of the client IP address for opening suspicious proxy ports and being used as a network proxy (including second-dial IPs), based on recent IP address intelligence data. Possible values are: high: High risk.medium: Medium risk.low: General risk.-: No historical data exists, or the Client Reputation feature is not enabled for the domain. | ✕ | ✓ |
BotClassScanner | String | Risk level of the client IP address for scanner behaviors that attack known vulnerabilities, based on recent IP intelligence data. Possible values are: high: High risk.medium: Medium risk.low: General risk.-: No historical data exists, or the Client Reputation feature is not enabled for the domain. | ✕ | ✓ |
BotTag | String | The request classification determined by the EO Bot intelligent analysis engine based on factors such as request rate and IP address intelligence database. This field is only provided for domains that have enabled the Bot Management - Bot Intelligent Analysis feature. Possible values are: evil_bot: Malicious Bot request.suspect_bot: Suspected Bot request.good_bot: Normal Bot request.normal: Normal request.-: Unclassified. | ✕ | ✓ |
ChallengeState | String | Status of the client request during the challenge process after it hits a security rule. Possible values are: JSChallengelssued: A JavaScript challenge is triggered.JSChallengeSolved: The client completed the JavaScript challenge, and the request is allowed in this handling.JSChallengeBypassed: The request is allowed in this handling, and no challenge is issued because the client previously completed the JavaScript challenge and is within the allowlist validity period.ManagedChallengeIssued: A managed challenge is triggered.ManagedChallengeSolved: The client completed the managed challenge, and the request is allowed in this handling.ManagedChallengeBypassed: The request is allowed in this handling, and no challenge is issued because the client previously completed the managed challenge and the current request carries a valid token. | ✕ | ✓ |
ClientAttestationResultDetails | String | Used to identify the detailed result of client attestation. This field is only provided for domains that have enabled the Bot Management - Client Attestation feature. Sample value: attest-0000323704_80_passed_TC-CAPTCHA-C-601/-1|CipNotMatch/-1,webview.Hierarchical information is separated by specific characters: The first level: Separate the authentication record and the client type with an English comma (,). This indicates that the request source used authentication corresponding to the client type. The second level: Separate multiple independent authentication records with the English symbol &.The third level: Separate the detailed information of each authentication record with the English underscore _, which includes the following in order:Authentication Method ID: Indicates the ID of the specific authentication method used. Authentication Result Score: The risk score of the authentication record. Authentication Result: The reference conclusion of the authentication, such as passed or failed.Authentication Result Details (Fourth Level): Contains more detailed authentication information. Fourth Level: The authentication result details are separated by the English slash /, and the structure is as follows:Authentication Result Details ID / Authentication Exception ID: The detailed risk Tag ID identified during the authentication process. It includes different prefixes to distinguish between different authentication sources. For example, in "TC-CAPTCHA-C-601", "TC-CAPTCHA" corresponds to Tencent Cloud Captcha, and 601 is the specific risk Tag ID. Furthermore, when an authentication record is abnormal (for example, the authentication record has expired or become invalid, or the authentication client information does not match), the authentication result details also display the corresponding exception reason. For example, CipNotMatch is used to indicate a client IP address mismatch.Other Authentication Details (Reserved): This part is a reserved field used to carry other risk control details in the authentication result. Please ignore the data in this field. Fifth Level: Multiple authentication result detail items are separated by the English vertical bar |. | ✕ | ✓ |
JA3Hash | String | The MD5 hash value of the JA3 fingerprint for analyzing SSL/TLS clients. This field is only provided for domains that have enabled Bot Management. | ✕ | ✓ |
JA4Fingerprint | String | The JA4 fingerprint information for analyzing SSL/TLS clients. This field is only provided for domains that have enabled Bot Management. | ✕ | ✓ |
SecurityAction | String | The final action taken after a request hits a security rule. Possible values are: -: Unknown/Not matchedMonitor: Log onlyJSChallenge: JavaScript challengeDeny: Block the requestAllow: Let the request passBlockIP: Ban the client IPRedirect: Send HTTP redirectReturnCustomPage: Return a custom pageManagedChallenge: Platform-managed challengeSilence: Drop the request silentlyLongDelay: Respond after a long delayShortDelay: Respond after a short delay | ✕ | ✓ |
SecurityMatchingRules | String | A list of all Web Security rule information hit by the current request, presented as a JSON array string. Each object in the array represents a hit rule, arranged in the order of rule matching, and contains the hit rule ID, rule description, module to which the rule belongs, and action information. For the values, refer to the descriptions of the SecurityRuleID, SecurityRuleDescription, SecurityModule, and SecurityAction fields. Sample value:
| ✕ | ✓ |
SecurityModule | String | The name of the security module that performs the final action on the request, corresponding to SecurityAction. Possible values are:-: Unknown/Not matchedCustomRule: Custom ruleRateLimitingCustomRule: Rate limiting ruleManagedRule: Managed ruleFrequentScanningProtection: Frequent scanning protectionL7DDoS: HTTP DDoS attack protection, which includes the adaptive frequency control and intelligent client filtering features.BandwidthAbuseProtection: Bandwidth abuse protectionBotCaptchaPage: Bot Management - Captcha PageBotManagement: Bot Management - Bot Basic Feature ManagementBotClientReputation: Bot Management - Client ReputationBotBehaviorAnalysis: Bot Management - Bot Intelligent AnalysisBotCustomRule: Bot Management - Custom Bot RuleBotActiveDetection: Bot Management - Active Detection | ✕ | ✓ |
SecurityRuleDescription | String | The description related to the security rule that performs the final action on the request, corresponding to SecurityRuleID. It only contains the names of the following rule types: CustomRule (custom rule), RateLimitingCustomRule (rate limiting rule), BotCustomRule (custom Bot rule), BotActiveDetection (Bot active detection rule), ManagedRule (managed rule, the value is the description of the rule group to which it belongs). Other rule types are recorded as -. | ✕ | ✓ |
SecurityRuleID | String | The security rule ID for the final action on the request, corresponding to SecurityAction. | ✕ | ✓ |
Reference
Log Samples
The following is an example of a single record of Layer 7 access log by default. You can customize the EdgeOne log output format according to the specific requirements of your downstream log analysis system. For more information, see Custom Log Output Format.
{"ContentID": "zone-2mxigizoh600","EdgeEndTime": "2024-10-13T23:30:39Z","EdgeFunctionSubrequest": 0,"LogTime": "2024-10-13T23:30:39Z","ParentRequestID": "-","RequestID": "13719873400522703510","ClientASN": "AS4816","ClientASNDescription": "China Telecom","ClientConnectionID": "5692760165714882237","ClientDeviceType": "Desktop","ClientIP": "0.0.0.0","ClientISP": "-","ClientPort": 62389,"ClientRegion": "CN","ClientState": "CN-LN","RemotePort": 80,"RequestBodyBytes": 0,"RequestBytes": 769,"RequestHost": "www.example.com","RequestMethod": "GET","RequestProtocol": "HTTP/1.1","RequestRange": "-","RequestReferer": "-","RequestScheme": "HTTPS","RequestSSLProtocol": "TLS1.3","RequestStatus": "1","RequestTime": "2024-10-13T23:30:39Z","RequestUA": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","RequestUrl": "/app/","RequestUrlQueryString": "-","EdgeCacheStatus": "miss","EdgeInternalTime": 378,"EdgeResponseBodyBytes": 548,"EdgeResponseBytes": 825,"EdgeResponseStatusCode": 404,"EdgeResponseTime": 379,"EdgeException": "client_request_exception.upstream_failed","EdgeServerID": "b3da9837137ad37f8e430b1d6de51dc5-d41d8cd98f00b204e9800998ecf8427e","EdgeServerIP": "0.0.0.0","EdgeServerRegionTopDivision": "CN-LN","EdgeSeverRegion": "US","OriginDNSResponseDuration": 0.0,"OriginDomain": "origin.example.com","OriginIP": "0.0.0.0","OriginRequestHeaderSendDuration": 0.001,"OriginResponseHeaderDuration": 182.676,"OriginResponseStatusCode": 404,"OriginSSLProtocol": "TLS1.2","OriginTCPHandshakeDuration": 182.485,"OriginTLSHandshakeDuration": 0,"BotCharacteristic": "-","BotClassAccountTakeOver": "-","BotClassAttacker": "-","BotClassMaliciousBot": "-","BotClassProxy": "-","BotClassScanner": "-","BotTag": "normal","ChallengeState": "-","ClientAttestationResultDetails": "-","JA3Hash": "1aff7135b7ef63d5ab35602cfee4fe66","JA4Fingerprint": "t13d1516h2_8daaf6152771_b0da82dd1658","SecurityAction": "Monitor","SecurityMatchingRules": "[{\"RuleID\":\"2186248347\",\"Action\":\"Monitor\",\"Module\":\"CustomRule\",\"RuleDescription\":\"block-malicious-ua\"},{\"RuleID\":\"2186248348\",\"Action\":\"Monitor\",\"Module\":\"CustomRule\",\"RuleDescription\":\"rate-limit-api\"}]","SecurityModule": "CustomRule","SecurityRuleDescription": "rate-limit-api","SecurityRuleID": "2186248348"}
EdgeException Field Descriptions
Field format:
[Request Phase].[Exception Description]If no exception occurs, the field value is
no_exception.Request Phase
Value in Request Phase | Meaning |
client_request_exception | An exception occurs when the client initiates a request to the EdgeOne edge node. |
edge_response_exception | An exception occurs when the EdgeOne edge node responds to the client's request. |
Exception Description
Note:
The following list includes only common exceptions. EdgeOne may add descriptions for new exceptions in the future.
Exception Value | Meaning |
timeout | Timeout |
peer_close | The peer is closed (determined by whether a FIN packet is received). For the EdgeOne edge server, the peer refers to the client. |
closed | Closed by the local end |
read_buffer_full | Read buffer full |
package_write_failed | Write failure (UDP only) |
peer_error | Data read/write exception (such as RST and so on) |
peers_is_empty | Origin peers empty. |
module_load_failed | HTTP module load failure. |
header_too_large | HTTP header too large. |
parse_header_failed | HTTP header parsing failure. |
read_offset_out_of_upstream_range | The offset for reading origin data exceeds the range of the origin response. |
no_cache | No cache used |
partial_compress_cache | Contains only partial compressed cache. |
upstream_no_mtime | Origin response has no mtime. |
cache_no_mtime | Local cache has no mtime. |
upstream_mtime_change | Origin mtime changed |
upstream_no_etag | Origin response has no etag. |
cache_no_etag | Local cache has no etag. |
upstream_etag_change | Origin etag changed |
upstream_length_change | Origin length changed |
upstream_status_change | Origin status code changed |
upstream_data_not_set | Origin module data not initialized. |
upstream_respond_extra_data | Origin responded with extra data. |
domain_resolve_failed | Origin domain name resolution failed. |
domain_resolve_none | Origin domain name resolution result is empty. |
upstream_server_is_empty | Origin server list is empty. |
upstream_failed | Origin request failed. |
upstream_content_range_with_content_encoding | Origin response contains both Content-Range and Content-Encoding. |
upstream_unknown_transfer_encoding | Origin response contains unknown Transfer-Encoding. |
upstream_transfer_encoding_with_content_length | Origin response contains both Transfer-Encoding and Content-Length. |
upstream_keepalive_without_length | Origin responded with a file of unknown length and requested keep-alive. |
chunked_error | chunked parsing failed. |
read_file_info_failed | Failed to read cached file information. |
set_cache_data_failed | Failed to set cache data. |
unknown_compress_method | Unknown compression algorithm |
compress_size_too_large | Compressed file is too large |
compress_error | Compression exception |
upstream_verify_failed | UUID anti-hijacking verification failed. |
scheme_error | Unknown scheme |
empty_domain | Domain name is empty. |
reset_client | Client needs to be RST |
blacklist_fatal_error | Blacklist exception |
range_index_error | Multiple Range index exception |
upstream_respond_206_without_content_range | Origin responded with 206 without Range. |
upstream_respond_content_range_without_size | Origin responded with Content-Range without total file size. |
upstream_respond_error_content_range | Origin Range response exception |
BotCharacteristic Field Descriptions
Note:
This field is provided only for domains that have the Bot Management - Bot Intelligent Analysis feature enabled.
Field Value | Corresponding Rule Name | Detailed Description | Mapped Bot Tag ( BotTag) | Potential Attack or Business Scenario Hit |
Client Inconsistency | Client Inconsistency | Request headers and characteristics are inconsistent, or the Layer 4 OS fingerprint does not match the User-Agent. | Malicious Bot | Forge a UA, for example, a request from a Linux server declares itself as a Windows UA. When some users access the internet through proxies, corporate networks/campus networks, the Layer 4 fingerprint originates from the proxy machine and does not match the user's UA. |
Irregular TLS Fingerprint | Irregular TLS Fingerprint | Irregular TLS Fingerprint from Tools | Malicious Bot, Suspected Bot | Requests initiated by script tools; Some clients use tools/components to call APIs and static resources. |
High Frequency | High-Frequency Requests | Sending a large number of requests from one or a few IPs/User-Agents. | Malicious Bot, Suspected Bot | / |
Irregular Path Access | Irregular Path Access | Request paths appear randomly or are concentrated on specific APIs, which may indicate scanning or data scraping. | Malicious Bot, Suspected Bot | When a site has limited resources or runs a promotion, user requests are concentrated and frequently directed to a specific path within a short period. |
Real-time Proxy Detection | Real-time Proxy Detection | Determines whether a request may be forwarded via a proxy based on real-time traffic patterns. | Malicious Bot, Suspected Bot | Black-hat actors use second-dial proxies to change IPs and bypass risk control policies. Users use proxy VPNs, corporate network/campus network egress IPs. Network fluctuations are significant. |
TLS Fingerprint Inconsistency | TLS Fingerprint Inconsistency | TLS Fingerprint and User-Agent Mismatch. | Malicious Bot, Suspected Bot | Some niche clients (with uncommon UAs); Requests from script tools; Tamper with UA requests; Corporate network/campus network egress. |
UA with Bot Identifier | User-Agent Containing Bot Identifier | Contains common bot tool identifiers in the User-Agent. | Malicious Bot | User UAs contain common script tool identifier strings. |
Python-Requests | Python-requests Request | Sends requests using the python-requests tool. | Malicious Bot | User UAs contain the python-requests string. |
Python-Urllib | Python-urllib Request | Sends requests using the python-urllib tool. | Malicious Bot | User UAs contain the python-urllib string. |
Curl | cURL Request | Sends requests using the curl tool. | Malicious Bot | User UAs contain the curl string. |
Go HTTP Client | Go HTTP Client Request | Sends requests using the go-http-client tool. | Malicious Bot | User UAs contain the go-http-client string. |
Phpcrawl | phpcrawl Request | Sends requests using the phpcrawl tool. | Malicious Bot | The phpcrawl string is contained in the user UA. |
Libcurl | libcurl Request | Sends requests using the libcurl tool. | Malicious Bot | User UAs contain the libcurl string. |
WinHTTP Client | WinHTTP Request | Sends requests using the WinHttpClient tool. | Malicious Bot | The WinHttpClient string is contained in the user UA. |
Headless Browser | Headless Browser | Sends requests using a headless browser (such as Puppeteer and Selenium, and so on). | Malicious Bot | User UAs contain the headless string. |
Triggered by Known Tool#{Num} | Specific Tool Feature #{Num} | A rule triggered by specific tools or behaviors. {Num} is used to identify different tools or behaviors. Self-service querying/management of this type of feature is not currently supported. If you have any questions, please contact us. | Malicious Bot, Suspected Bot | / |