Skip to content

Exploring Bot Activity

API Abuse Prevention identifies malicious bot activity based on ML algorithms. Such attacks are impossible to analyze based on a single blocked request. Therefore, it is essential that the Wallarm platform offers a wide range of tools to investigate bot activity from different angles.


You can explore attacks performed by bots in Wallarm Console → Attacks section. Use the api_abuse, account_takeover, scraping and security_crawlers search keys or select the appropriate options from the Type filter.

API Abuse events

Bot information is visualized in three heatmaps. In all heatmaps, the bigger the bubble, the closer it to red color and to the right upper corner - the more reasons to consider this IP to be a bot.

On the heatmaps, you can also compare you current bot (this bot) with the other bots that attacked the same application within the past 24 hours. If too many bots did that, only 30 most suspicious will be displayed.

The heatmaps:

  • Performance visualizes the performance of the current and other detected bots including their request non-uniqueness, scheduled requests, RPS, and request interval.

  • Behavior visualizes the suspicious behavior score of the current and other detected bots including their degree of suspicious behavior, amount of requests to critical or sensitive endpoints, RPS and the number of bot detectors that detected them as bots.

  • HTTP errors visualizes the API errors caused by bot activities including the number of different endpoints they target, the number of unsafe requests they make, their RPS, and the number of error response codes they receive.

Bot attacks in API sessions

You can easily validate detected malicious bot activity by switching from Attacks to API Sessions with the Explore the Session button. This button is available only for attacks for which there are saved sessions (see session retention period in limitations for API Sessions). Within a session, you can analyze the sequence of requests that matches the malicious pattern and find out why it was blocked. If necessary, you can view all requests within a given session to understand the full context of the behavior of the selected actor.

API Abuse attack in API Sessions

Expand the session details to identify which sequence of requests was flagged as malicious bot activity. If necessary, you can expand request details, view its content and immediately use the Add source IP to denylist or Add to exception list options.

You can switch back to the Attacks section using Explore the attack.