How-to
Operations Monitoring
How the Operations page surfaces operation fingerprint matches in monitor mode.
Jump to section
What the Operations page shows
The Operations page displays matches from the Operation Fingerprint detector running in monitor mode. This gives you visibility into suspected scraping operations without generating alerts or notifications.
How monitor mode works
When the Operation Fingerprint detector is set to monitor mode (the default), it evaluates traffic against known-bad behaviour profiles on every cron tick. When it finds a match, it logs the result to the event trail and surfaces it on the Operations page. It does not create alerts or send notifications.
Reading the table
Each row in the Operations table shows:
- Timestamp — when the match was detected
- ASN — the network that matched a known-bad profile
- Signature hash — the behaviour fingerprint that was matched
- Confidence — how closely the ASN's behaviour matches the profile (0-1)
- Severity — derived from the confidence score
Expanding a row
Click any row to expand it and see the distribution breakdown that produced the match:
- Path distribution — top path prefixes and their request share
- UA distribution — top user-agent families and their request share
- Status distribution — HTTP status code breakdown for this ASN
Switching to alert mode
When you're confident the fingerprints are accurate:
- Go to Rules in the sidebar
- Find the Operation Fingerprint rule
- Click the pencil icon to edit thresholds
- Change the
modefield frommonitortoalert - Save the change
The detector will now create alerts and send notifications when matches occur.
When to switch
We recommend monitoring for 2-4 weeks before switching to alert mode. This gives you time to:
- Verify that matches correspond to real scraping operations
- Tune the
min_confidencethreshold if you see false matches - Adjust the
rounding_pctfor your traffic profile