Azure WAF bot protection ruleset. Meaning of log ID 300700

Question

Azure WAF bot protection ruleset. Meaning of log ID 300700

eenchev 0

I have enabled bot protection ruleset for a waf policy. The DRS ruleset normally has a detailed message in the logs but for the bot protection I am finding it hard to identify the reason for a match for 300700 id Other bots (group Unknownbots).

User's image

We have thousands of such logs. I know default action is log and using allow is not recommended which will stop further ruleset checks.

In general I want to finetune the ruleid so I decrease the noise from these log messages and add 1-2 exclusions. Details_data field is not very helpful. What does it see in REQUEST_HEADERS:

rvinnakota 4,760 Reputation points Moderator

2025-03-12T21:23:54.5633333+00:00

Hi @eenchev,

To address the 300700 (Other bots - UnknownBots) noise in your WAF Bot Protection logs, we need to analyze the REQUEST_HEADERS field to identify patterns triggering the rule. This rule flags requests from bots not categorized under common groups (e.g., search engines, social media crawlers). The WAF uses header analysis to detect signatures of the traffic, such as missing or generic User-Agent headers, suspicious headers, and unusual header combinations.

As you mentioned that you couldn't find more details about the REQUEST_HEADERS information in the WAF Bot log, could you please share the timestamps for these logs? Additionally, can you explore the additional fields for the match details in the WAF query logs?

Kindly let us know if the above helps or you need further assistance on this issue.
eenchev 0 Reputation points

2025-03-13T07:29:24.7766667+00:00

Hi,

Thank you for you comments.

Here are some recent timestamps. As for other details there is nothing useful related to the match condition. details_data_s is "{ found within [REQUEST_HEADERS:]}" and Message : "Other bots"

Traffic is mostly internal and is false positive but I want to be able to understand the reason for triggering which should normally be found in the logs.
eenchev 0 Reputation points

2025-03-18T09:50:41.7966667+00:00

What exclusion can be made? What request argument to use, that is the reason for this post. The details_data field doesn't provide any information.

1 answer

Your answer

rvinnakota 4,760 Reputation points Moderator

2025-03-12T21:23:54.5633333+00:00

Hi @eenchev,

To address the 300700 (Other bots - UnknownBots) noise in your WAF Bot Protection logs, we need to analyze the REQUEST_HEADERS field to identify patterns triggering the rule. This rule flags requests from bots not categorized under common groups (e.g., search engines, social media crawlers). The WAF uses header analysis to detect signatures of the traffic, such as missing or generic User-Agent headers, suspicious headers, and unusual header combinations.

As you mentioned that you couldn't find more details about the REQUEST_HEADERS information in the WAF Bot log, could you please share the timestamps for these logs? Additionally, can you explore the additional fields for the match details in the WAF query logs?

Kindly let us know if the above helps or you need further assistance on this issue.
eenchev 0 Reputation points

2025-03-13T07:29:24.7766667+00:00

Hi,

Thank you for you comments.

Here are some recent timestamps. As for other details there is nothing useful related to the match condition. details_data_s is "{ found within [REQUEST_HEADERS:]}" and Message : "Other bots"

Traffic is mostly internal and is false positive but I want to be able to understand the reason for triggering which should normally be found in the logs.
eenchev 0 Reputation points

2025-03-18T09:50:41.7966667+00:00

What exclusion can be made? What request argument to use, that is the reason for this post. The details_data field doesn't provide any information.

Answer 1

Venkat V 2,545 Microsoft External Staff Moderator

Hi @eenchev

Azure WAF bot protection ruleset. Meaning of log ID 300700

As I can see, log ID 300700 is displaying REQUEST_HEADERS instead of the full reason for the log, which is due to the following cause:

This may be due to malicious attackers using a custom tool to hide the source details and UnknownBots.

Rule ID 300700 is part of the UnknownBots category in the Bot Manager Rule Set 1.1. This rule is triggered for traffic identified as originating from a bot, but the intent of the bot is unknown. It could either be legitimate traffic or malicious traffic using a custom tool.

UnknownBots (Bot300*) - Other bot user agents that may or may not be malicious.

Microsoft_BotManagerRuleSet-1.1-Other bots-Bot300700 is classified as an unknown bot, representing user agents that are published without additional validation.

enter image description here

To reduce the noise from log messages for Rule ID 300700, you can create exclusions for specific request attributes that are triggering the matches.

You can configure an exclusion by following the link

I hope this helps to resolve your query.

I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.

Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-03-18T05:35:45.2566667+00:00

Hi @eenchev

I just wanted to follow up and see if you had a chance to review my response to your question. Please let us know if it was helpful, and feel free to reach out if you have any further queries.

I really appreciate your feedback. It’s valuable to us. Please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.
eenchev 0 Reputation points

2025-03-18T09:53:35.9666667+00:00

What exclusion can be made? What request argument to use, that is the reason for this post. The details_data field doesn't provide any information.
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-03-18T12:15:52.88+00:00

Hi @eenchev

Can you please share the detailed log information along with the message value for further analysis?
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-03-19T09:34:29.4133333+00:00

Hi @eenchev

As I didn’t see any update from you, kindly share the detailed log information and respond in the private chat where I requested some details.

Share via

Azure WAF bot protection ruleset. Meaning of log ID 300700

1 answer

Your answer