Azure WAF bot protection ruleset. Meaning of log ID 300700

Question

Azure WAF bot protection ruleset. Meaning of log ID 300700

eenchev 0

I have enabled bot protection ruleset for a waf policy. The DRS ruleset normally has a detailed message in the logs but for the bot protection I am finding it hard to identify the reason for a match for 300700 id Other bots (group Unknownbots).

User's image

We have thousands of such logs. I know default action is log and using allow is not recommended which will stop further ruleset checks.

In general I want to finetune the ruleid so I decrease the noise from these log messages and add 1-2 exclusions. Details_data field is not very helpful. What does it see in REQUEST_HEADERS:

Rohith Vinnakota 3,160 Reputation points Microsoft External Staff

2025-03-12T21:23:54.5633333+00:00

Hi @eenchev,

To address the 300700 (Other bots - UnknownBots) noise in your WAF Bot Protection logs, we need to analyze the REQUEST_HEADERS field to identify patterns triggering the rule. This rule flags requests from bots not categorized under common groups (e.g., search engines, social media crawlers). The WAF uses header analysis to detect signatures of the traffic, such as missing or generic User-Agent headers, suspicious headers, and unusual header combinations.

As you mentioned that you couldn't find more details about the REQUEST_HEADERS information in the WAF Bot log, could you please share the timestamps for these logs? Additionally, can you explore the additional fields for the match details in the WAF query logs?

Kindly let us know if the above helps or you need further assistance on this issue.

1 answer

Your answer

Rohith Vinnakota 3,160 Reputation points Microsoft External Staff

2025-03-12T21:23:54.5633333+00:00

Hi @eenchev,

To address the 300700 (Other bots - UnknownBots) noise in your WAF Bot Protection logs, we need to analyze the REQUEST_HEADERS field to identify patterns triggering the rule. This rule flags requests from bots not categorized under common groups (e.g., search engines, social media crawlers). The WAF uses header analysis to detect signatures of the traffic, such as missing or generic User-Agent headers, suspicious headers, and unusual header combinations.

As you mentioned that you couldn't find more details about the REQUEST_HEADERS information in the WAF Bot log, could you please share the timestamps for these logs? Additionally, can you explore the additional fields for the match details in the WAF query logs?

Kindly let us know if the above helps or you need further assistance on this issue.

Answer 1

eenchev 0

Hi,

Thank you for you comments.

Here are some recent timestamps. As for other details there is nothing useful related to the match condition. details_data_s is "{ found within [REQUEST_HEADERS:]}" and Message : "Other bots" User's image

User's image

Traffic is mostly internal and is false positive but I want to be able to understand the reason for triggering which should normally be found in the logs.

User's image

Share via

Azure WAF bot protection ruleset. Meaning of log ID 300700

1 answer

Your answer