Merge pull request #1815 from SEKOIA-IO/waf_doc

add_waf_behavior_and_best_practices

docs/xdr/develop/quickstart.md

@@ -451,3 +451,60 @@ To get events with source IP `1.2.3.4` in the last 30 days:
 ```bash
 search_events.py [-h] --dates="-30d,now" --query='source.ip: \"1.2.3.4\"' YOUR_API_KEY
 ```
+
+## Best Practices for Development and Interaction with Our Product to Avoid Being Blocked by Our WAF
+
+Web Application Firewalls (WAF) are crucial components for the security of web applications. They protect against various threats by filtering and monitoring HTTP traffic between a web application and the Internet. Our AI-based WAF uses a credibility score to determine the reliability of users and their interactions with our product. This article explores why we use a WAF, the specifics of our AI WAF, the main types of anomalies clients may encounter, and provides recommendations and best practices for interacting with our product without getting blocked.
+
+### 1. Why Use a WAF?
+
+A WAF is an indispensable security tool for protecting web applications against common attacks such as SQL injections, cross-site scripting (XSS), DDoS attacks, and other web-based threats. By using a WAF, we can:
+
+- Prevent attacks by filtering malicious requests before they reach the application.
+- Monitor traffic in real-time to detect and quickly respond to suspicious behavior.
+- Protect sensitive data by preventing unauthorized access.
+- Ensure application availability by minimizing interruptions due to attacks.
+
+### 2. Specifics of an AI-Based WAF
+
+Our AI-based WAF goes beyond traditional security rules by using machine learning algorithms to evaluate user credibility. The credibility score is calculated based on various behaviors and interactions. Here are some specifics:
+
+- **Credibility Score Calculation**: The AI analyzes user behavior over periods of about ten seconds. Repeated anomalies lower the user's credibility.
+- **Reputation Update Cycles**: The user's reputation is updated in cycles, averaging every 30 seconds. If suspicious behaviors persist, the user will be blocked.
+- **Types of Anomalies**: The WAF detects security anomalies (scans, SSRF, injections, exploits, protocol manipulations), and behaviors exceeding fixed and dynamic (AI based) thresholds.
+
+### 3. Main Types of Anomalies Clients May Encounter
+
+Anomalies are evaluated in real-time and can impact the user's credibility. Here are the main types of anomalies:
+
+- **Security Anomalies**:
+
+    - Security scans, SSRF, injections, exploitation of vulnerabilities, protocol manipulations.
+
+- **Anomalies Relative to Fixed Thresholds**:
+
+    - **Response Time**: Requests taking more than 10 seconds of CPU/memory processing.
+    - **Request Frequency**: More than 200 requests per second.
+    - **Authentication**: Strengthened mechanisms on authentication management pages.
+
+- **Anomalies Relative to Smart Thresholds**:
+
+    - **Response Time**: Limit requests to less than 100 ms per second over a 10-second period.
+    - **Error Requests**: Do not exceed 20% errors (4XX or 5XX codes) on 20 requests per 10-second period.
+
+!!! Note
+    **Error Code 429**: Indicates rate limiting when too many requests are received in a short time.
+
+### 4. Recommendations and Best Practices
+
+To avoid being blocked by our WAF, it is important to follow these best practices when interacting with our API and the product UI in general:
+
+- **Optimize Requests**: Avoid requests that consume too many resources (no more than 100 ms per request).
+- **Limit Request Frequency**: Do not exceed 5 requests per second.
+- **Handle Errors**: Pause scripts if the return code is 4XX or 5XX for 2 requests within a 10-second period.
+- **Impact Duration**: In case of blocking, the user will be impacted for between 30 seconds and 5 minutes (randomized duration).
+
+!!! Note
+    Users sharing the same VPN exit point will be considered as a single user. Ensure that multiple users accessing the service through the same VPN do not collectively exceed the recommended limits.
+
+By following these recommendations, you can improve the user experience and ensure smooth interaction with our product while respecting the security measures implemented by our WAF.