Threat Detection
Moat integrates advanced threat detection capabilities using Arxignis threat intelligence, combining IP reputation data with JA4+ fingerprinting for comprehensive security analysis.
Overview
Moat's threat detection system provides:
- Real-time IP threat scoring from 30+ threat intelligence sources
- JA4+ fingerprinting for TLS, HTTP, and TCP behavioral analysis
- Automatic access rule updates based on threat intelligence
- WAF field enrichment with threat scores and advice
- TCP fingerprint collection for anomaly detection
How It Works
1. Threat Intelligence Integration
Moat automatically fetches threat intelligence from Arxignis:
arxignis:
api_key: "your-api-key-here"
base_url: "https://api.arxignis.com/v1"
log_sending_enabled: true
The threat intelligence system:
- Scores IPs from 0-100 based on malicious activity
- Provides advice:
allow,block, orchallenge - Updates XDP access rules automatically
- Caches results in Redis for performance
2. JA4+ Fingerprinting
Moat collects comprehensive fingerprints for behavioral analysis:
- JA4 - TLS client fingerprinting
- JA4H - HTTP request header patterns
- JA4T - TCP options and characteristics
- JA4L - Latency and timing patterns
- JA4S - TLS server responses
- JA4X - X.509 certificate properties
3. TCP Fingerprint Collection
Monitor TCP connection patterns for threat analysis:
tcp_fingerprint:
enabled: true
log_interval_secs: 60
enable_fingerprint_events: true
fingerprint_events_interval_secs: 30
min_packet_count: 1
min_connection_duration_secs: 0
TCP fingerprints capture:
- SYN packet options and characteristics
- Window size and scaling patterns
- MSS values and other TCP options
- Connection behavior for anomaly detection
Configuration
Basic Setup
Enable threat intelligence integration:
arxignis:
# Your Arxignis API key
api_key: "your-api-key-here"
# API endpoint (default: https://api.arxignis.com/v1)
base_url: "https://api.arxignis.com/v1"
# Enable log sending to Arxignis (optional)
log_sending_enabled: true
Redis Caching
Configure Redis for threat intelligence caching:
redis:
url: "redis://localhost:6379"
prefix: "ax:moat"
Caching benefits:
- Reduced API calls for repeated IP lookups
- Lower latency for threat checks
- Improved performance under high load
- Cost savings on API usage
Threat Intelligence Fields
WAF Integration
Threat intelligence data is automatically available in WAF rules:
# Block high-risk IPs
threat.score > 80 and threat.advice == "block"
# Challenge suspicious IPs
threat.score > 50 and threat.score <= 80
# Geographic context
ip.src.country == "US" and threat.score > 60
# ASN-based rules
ip.src.asn == 64500 and threat.advice == "block"
Available Fields
| Field | Type | Description |
|---|---|---|
threat.score | Int | Threat score (0-100) from intelligence sources |
threat.advice | Bytes | Recommended action: "allow", "block", "challenge" |
ip.src.country | Bytes | ISO country code from GeoIP lookup |
ip.src.asn | Int | Autonomous System Number |
ip.src.asn_org | Bytes | ASN organization name |
ip.src.asn_country | Bytes | ASN country code |
JA4+ Fingerprinting
What is JA4+?
JA4+ is a suite of network fingerprinting methods that identify clients and servers based on their network behavior, not just IP addresses.
JA4 - TLS Client Fingerprinting
Identifies TLS clients based on:
- TLS version
- Cipher suites offered
- Extensions and their order
- Supported groups and signature algorithms
JA4H - HTTP Fingerprinting
Analyzes HTTP request patterns:
- Header order and values
- Cookie handling
- HTTP version and methods
- Accept headers and encodings
JA4T - TCP Fingerprinting
Captures TCP characteristics:
- TCP options and their order
- Window size and scaling
- MSS (Maximum Segment Size)
- Timestamp behavior
See the JA4+ Complete Documentation for detailed technical specifications.
Monitoring and Analytics
Log Events
When log_sending_enabled: true, Moat sends events to Arxignis:
{
"type": "threat_detection",
"timestamp": "2024-01-15T10:30:00Z",
"ip": "203.0.113.45",
"threat_score": 85,
"advice": "block",
"action_taken": "dropped_at_xdp",
"ja4": "t13d1516h2_8daaf6152771_e5627efa2ab1",
"ja4h": "ge11nn05enus_7c6f05271088_3d7f09ba7b0e",
"context": {
"country": "CN",
"asn": 4134,
"asn_org": "China Telecom"
}
}
Statistics
Monitor threat detection effectiveness:
bpf_stats:
enabled: true
enable_dropped_ip_events: true
tcp_fingerprint:
enabled: true
enable_fingerprint_events: true
Best Practices
Production Deployment
- Enable Redis caching to reduce API calls and improve performance
- Set appropriate log intervals to balance visibility and log volume
- Monitor threat scores to tune WAF rules effectively
- Use fingerprinting data for behavioral analysis and anomaly detection
Security Considerations
- Combine multiple signals - Use threat scores with fingerprints
- Tune thresholds based on your traffic patterns
- Monitor false positives and adjust rules accordingly
- Regular updates ensure latest threat intelligence
Performance Tips
- Redis is essential for production use to cache threat intelligence
- Adjust cache TTLs based on your threat landscape
- Monitor API usage to stay within rate limits
- Use WAF rules to act on threat intelligence automatically