--- title: "Bot Activities" slug: "bot-activities" description: "Explore detailed records of bot-related activities detected by Traceable. Analyze bot interaction patterns, risk signals, and fingerprint anomalies to enhance visibility, investigation, and response to automated threats." updated: 2025-11-24T09:40:23Z published: 2025-11-24T09:40:23Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # Bot Activities ##### Updates (October 2025 to December 2025) *November 2025*— Updated the topic to add information about AI-related insights for the detected incidents. For more information, see [AI-Generated Insights](/v1/docs/bot-activities#aigenerated-insights). The **Bot Activities** page offers a more detailed view of bot-related incidents detected across your environment. Unlike the **Bot Protection Dashboard**, which gives a high-level summary, this section is designed for detailed analysis. It helps security teams understand the nature of bot attacks, track trends over time, and take appropriate action to mitigate threats. Bot activity is rarely random, and most attacks follow recognizable patterns that evolve over a period of time. This page provides the tools necessary to stay ahead of these threats. By leveraging traffic insights, incident tracking, and backtesting capabilities, security teams can refine their defenses, minimize false positives, and respond rapidly to automated threats. More than just a detection tool, the **Bot Activities** page supports **proactive defense strategies**. With a structured workflow, from initial detection to in-depth analysis and response, organizations can maintain a strong security posture against ever-evolving bot threats. ## **Analyzing Traffic and Incident Trends** At the top of the page, the **Total Traffic Timeline** graph presents a dynamic view of bot activity. Traffic is represented by a blue line, while detected bot-related incidents appear in red. This dual-layered visualization enables users to compare bot activity against standard traffic patterns, facilitating the identification of unusual spikes that may indicate an ongoing attack. Security analysts can toggle between **Traffic** and **Active Incidents** or view both simultaneously to gain a better understanding of emerging threats. A sudden increase in bot-related incidents without a proportional rise in overall traffic might suggest that detection rules have been tightened. In contrast, a simultaneous increase in both metrics could indicate a large-scale automated attack. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Screenshot 2025-04-10 at 10.51.50 AM.png) --- ## **Understanding Bot Incidents and Their Impact** Below the timeline, the **Incident List** provides a detailed breakdown of detected bot activities. Each row represents an incident, such as a sudden **spike in API call counts**. It highlights critical details, including the target endpoint, the duration of the incident, and the last time it was observed. Filtering options enable users to narrow down incidents based on incident type, affected targets, and last seen date. This is particularly useful when investigating a persistent bot attack targeting specific services or APIs. If multiple bot-related incidents share common attributes, such as originating from the same endpoint. This could indicate a **coordinated attack** that requires immediate attention. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Screenshot 2025-04-10 at 10.58.55 AM.png) --- ## **Diving Deeper into Incident Details** When you click on an incident, it reveals an in-depth analysis of its characteristics. The following section provides the necessary details to determine the impact of the bot activity and plan an appropriate response. ### **Summary Tab** The **Summary** tab provides an overview of the incident, including: - **AI-Generated Insight**— This section provides deeper insights, including highlighting the affected API, explaining the behavior driving the attack, and surfacing primary threats, enabling you to quickly grasp the incident’s significance and prioritize your response. - **Fingerprints** — Fingerprints display detection signals such as unusual headers, abnormal user-agent behavior, or repeated unauthenticated requests, along with their enforcement status and actions (allow, block, monitor, or no action), helping you reduce false positives and understand why the activity was flagged. - **Total Traffic Timeline** — The timeline visualizes total requests, blocked and monitored requests, and detection points over time, highlighting top IPs, countries, ASNs, and organizations, so you can assess attack intensity, duration, and validate the effectiveness of your protective rules. #### AI-Generated Insights The Summary tab shows an AI-generated insight for the incident when you enable it under [AI features](https://docs.traceable.ai/docs/ai-features). It contains the following information: ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Traceable_bot_activties_AI_image(1).gif) AI Generated Insight - The description of the attack contains all the details of the attack. For example, the *password reset API*. - The name of the API under attack, for example, */auth/forget-password*. - The nature of the attack, and the policy that is configured to detect this attack. - The primary threats that are detected in the incident. - The primary threat indicator varies dynamically and is based on the type of policies you have configured. To configure the policies, see [Bot Protection Rules](https://docs.traceable.ai/docs/bot-protection-policies#creating-a-custom-bot-protection-rule). - The duration and intensity of the attack, as well as the time it started and ended. - The summary of the attack contains all the details of the attack. #### **Understanding Fingerprints** Fingerprints play a key role in identifying bot activity and are derived from detection policies. These fingerprints represent specific attributes, such as request headers, user-agent patterns, request body types, or missing authentication tokens, that indicate bot behavior. Each fingerprint listed represents a detection signal derived from Traceable's bot detection rules. The table includes the following fields: - **ID** — A unique identifier for the fingerprint. Hovering over the info icon reveals the complete detection condition, for example, *RequestHeaders Not_Contains_Key Authorization*. - **Status** — It indicates whether the fingerprint's enforcement is currently active. If marked **'Expired', the fingerprint is no longer actively used for enforcement purposes**. If **Active**, any requests that match the fingerprint will be handled based on the associated action. - **Action** — You can choose how to handle traffic, matching each fingerprint: - **Allow** — It allows traffic through without blocking. - **Block**— It blocks the traffic. - **Monitor** — It enables you to observe and log traffic without blocking. - **No Action** — It allows you to retain the fingerprint definition but take no enforcement action. By fine-tuning fingerprint actions, security teams can reduce false positives, improve detection accuracy, and ensure legitimate traffic is not mistakenly blocked. #### **Total Traffic Timeline** The **Total Traffic Timeline** graph within the Summary tab provides a time-based visualization of bot-related traffic patterns. It includes: - **Total Traffic (Blue Line)** — The total number of requests observed within a given time window. - **Blocked Traffic (Red Line)** — The number of requests that were explicitly blocked by bot protection rules. - **Detection Time (Orange Dots) —**This highlights when the bot activity was detected. It also lists the **Top 5 IPs,** the**Top 5 Countries**, and the **Top 5 ASNs and Organisations**with count of each, corresponding to the attribute, as shown below. Hovering over any data point in the graph reveals a breakdown of request volume at that timestamp, providing insights into traffic surges and detection accuracy. This timeline enables security teams to correlate bot activity trends, identify when attacks occurred, and evaluate the effectiveness of mitigation efforts. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Screenshot 2025-04-10 at 11.09.44 AM.png) --- ### **Backtesting Tab** The **Backtesting** feature allows security teams to validate detection rules by analyzing historical traffic. This tab provides insights into: - How often would the fingerprint have matched in historical data? - Whether the rule needs fine-tuning to reduce false positives or false negatives. - A visualization of bot request trends across different time intervals. #### **Using the Fingerprint Source** The **Source** dropdown in the Backtesting tab enables you to select specific fingerprints for analysis. Each fingerprint represents a detection pattern applied to bot traffic. Selecting a fingerprint applies its detection criteria to historical traffic, providing a clear view of how that fingerprint performed over time. You can: - Compare multiple fingerprints to identify patterns in bot activity. - Validate the effectiveness - Detect recurring bot behavior across different periods. #### Time Period Next to the **Source** dropdown, the **Time Period** dropdown allows you to specify a historical range (e.g., last 30 minutes, 1 hour, or longer) to analyze how a fingerprint performed over that timeframe. This is particularly useful when trying to correlate bot activity spikes with known attack windows, helping security teams fine-tune detection rules more effectively. By running a backtest, you can see how these fingerprints would have matched past traffic patterns, ensuring detection rules are neither too strict nor too lenient. If too many false positives appear, refining the fingerprint ensures legitimate users are not mistakenly blocked. Conversely, adjusting the detection parameters can improve accuracy if bot traffic is slipping through. Backtesting enables a **data-driven approach** to bot mitigation, allowing teams to refine detection strategies before applying policies in live environments. ![](https://cdn.document360.io/24f14f07-13d1-4684-8fae-6d8f811768ee/Images/Documentation/Screenshot 2025-04-10 at 11.13.04 AM.png) --- ## **Taking Action on Bot Activity** Once an incident has been analyzed, security teams can take action using the available response options: - **Allow** the traffic if it was mistakenly flagged as bot activity. - **Monitor** the traffic to observe further behavior before making a final decision. - **Block** the traffic if it is confirmed as malicious bot activity. These options ensure flexibility in bot mitigation, allowing teams to tailor their response strategies based on real-time insights and data. For example, if credential stuffing attacks frequently target an endpoint, an administrator might choose to **monitor** traffic initially, gathering more data before blocking the entire block. --- ### **Best Practices for Effective Bot Mitigation** Choosing the right response action is critical to maintaining a balance between security and user experience. Here are some best practices to guide decision-making: - **When to Monitor**: If an incident involves **high traffic but low risk**, monitoring can help assess behavioral patterns before applying strict blocking measures. For example, an API endpoint experiencing increased traffic from a single IP may not immediately warrant blocking if legitimate users are involved. - **When to Block**: Blocking should be applied when **repeated malicious behavior is detected**, such as a bot attempting credential stuffing attacks or scraping sensitive data at high frequency. - **When to Adjust Detection Rules**: If **false positives are high**, fine-tune bot detection by reviewing fingerprints in the **Backtesting** tab. Adjusting rules ensures that legitimate users are not mistakenly blocked while keeping bot threats contained. By continuously refining detection policies and balancing enforcement actions, security teams can **minimize false positives, reduce risk exposure, and optimize bot defense strategies**. --- ## **Investigating Bot Behavior Through Traffic Analysis** Beyond high-level incident tracking, the **Bot Activities** page enables deep forensic analysis. Security analysts can inspect traffic details such as: - The **affected service and endpoint** where bot activity was detected. - The **status codes and request details** are used to determine whether attacks were successful. - The **headers and payload data** associated with bot requests. By reviewing this granular data, teams can pinpoint how bots interact with applications and identify patterns that might require custom detection rules. The platform even allows the creation of **custom blocking rules** based on specific findings, enhancing automated defenses against sophisticated bot attacks.