How-to
Operation Fingerprint Detector
Match traffic behaviour against known-bad scraping signatures to detect the same campaign from new sources.
Jump to section
What it detects
The operation fingerprint detector identifies when the same scraping operation appears from a new network. It builds a behaviour profile per ASN (path distribution, user-agent mix, status code distribution) and compares it against known-bad profiles.
How it works
- For each ASN over a 60-minute window, the detector builds distribution vectors:
- Top-5 path prefixes by request share
- Top-3 UA families by request share
- Status code distribution
- Distributions are rounded (default 5%) for noise resilience
- A deterministic hash is computed from the distributions
- The hash is compared against known-bad profiles (per-tenant + global shared)
Monitor vs Alert mode
This detector supports two modes, configured in the rule thresholds:
- Monitor (default): logs matches to the event trail but does NOT create alerts or send notifications. Use this to validate fingerprints before going live.
- Alert: full alert lifecycle with notifications.
We recommend running in monitor mode for 2-4 weeks to tune the rounding factor and build confidence in your profiles before switching to alert mode.
Shared intelligence
When "Intelligence sharing" is enabled in Settings, resolved operation fingerprint alerts contribute their anonymised behaviour signatures to a global profile library. All tenants benefit from the collective intelligence without seeing each other's raw data. Only statistical fingerprints are shared (rounded percentages of path/UA/status distributions).
Default thresholds
| Threshold | Default | Description |
|---|---|---|
window_minutes | 60 | Time window to evaluate |
min_requests | 5000 | Volume floor per ASN |
min_confidence | 0.7 | Minimum profile confidence to match |
mode | monitor | monitor or alert |
rounding_pct | 5 | Round distributions to nearest N% |