Bot filtering in Adobe Analytics, honestly
Adobe gives you two mechanisms: the IAB bot list and custom rules. Used well, they keep declared bots out of your reports. This guide covers exactly how they work, the two blind spots no rule can fix, and how to source rules from evidence instead of guesswork.
The mechanics, as documented
The IAB bot list
One toggle enables filtering against the IAB International Spiders and Bots list. It matches on user agent only, so it removes declared, well-behaved bots: search crawlers, monitoring tools, known scrapers that identify themselves. It does nothing about a bot that lies in its user agent, which is precisely what abusive bots do.
Custom bot rules
Rules you define on user agent (starts with or contains) and IP address or IP range. Conditions within a rule combine with OR. The admin UI allows up to 500 rules; beyond that you manage rules in bulk through CSV import and export, with columns IP, UserAgent, ISP, IAB and Description.
Where the filtered traffic goes
Hits matching bot rules are removed from standard reporting and appear in the dedicated Bots reports, so you can see what was excluded. Rules apply to data from the moment they are defined. Historical data is not reprocessed, which is why acting quickly on a new bot matters.
Behaviour verified against Adobe's bot-rules documentation on 10 July 2026.
The two blind spots rules cannot fix
Neither is a criticism of Adobe. Both are consequences of filtering at the collection layer instead of observing at the request layer.
Traffic that never fired the tag
Bot rules filter collected hits. Scrapers, API clients, probes and fake crawlers never execute the tag, so there is no hit to filter. Adobe cannot report on traffic it never received: filtering is not visibility. The complete picture only exists at the CDN layer, where every request is logged regardless of JavaScript.
Bots that rotate identities
A user-agent rule dies the moment the bot changes its user agent, and rotation is standard practice: real visitor populations cluster on two or three current browser versions while rotation harnesses spread across dozens. IP rules age the same way as botnets rotate networks. Rules built last quarter quietly stop matching, and nothing tells you.
Rules from evidence: the SFCC workflow
On Salesforce B2C Commerce, the eCDN logs are the ground truth. The workflow is short.
Find the offender at the CDN layer
Edge watches the eCDN logs and flags the networks abusing your storefront: scraping, credential stuffing, cache bypass, fake crawlers. Each alert carries the network, paths and time window, backed by raw log evidence.
Collect its identifiers
From the offender view, take the network detail, observed IPs from IP discovery, and user-agent patterns. These are evidence-based identifiers, not guesses: they describe traffic your WAF and your analytics both saw.
Enforce and filter in your own tools
Apply the suggested eCDN WAF rule from the alert to stop the traffic at the door, then use the Adobe rules button on the network detail page: it downloads the offender’s observed IPs as a CSV in the exact bot-rules Import File format, provenance included.
Fair questions
Does the IAB bot list catch scrapers?
It catches declared bots: crawlers and tools that honestly identify themselves in their user agent. Abusive scrapers do the opposite, presenting as current Chrome or as Googlebot. The IAB list matches on user agent alone, so a bot that lies is invisible to it. Treat the IAB toggle as baseline hygiene, not protection.
Are Adobe Analytics bot rules retroactive?
No. Bot rules apply to data collected after the rule is defined; existing reporting data is not reprocessed. That makes speed matter: the faster you identify a bot and add the rule, the less polluted history you accumulate. Server-side detection shortens exactly that window, because you see the bot at the CDN before you see it in reports.
How many bot rules can Adobe Analytics have?
The admin interface supports up to 500 manually defined rules per report suite; beyond that, rules are managed in bulk via CSV import and export (verified against Adobe’s documentation, 10 July 2026). The CSV columns are IP, UserAgent, ISP, IAB and Description. In practice the constraint is not the cap but rule freshness: stale rules stop matching as bots rotate.
Do bot hits still count as server calls?
The hit was collected and then filtered, so bot traffic still consumes collection volume. That is worth knowing commercially: heavy bot traffic that executes your tag costs you twice, once in polluted effort and once in collection. Stopping it at the CDN, before the tag fires, is the only version that reduces both.
Where should bot rules come from?
From evidence, not intuition. The CDN log layer shows which networks are actually abusive, with request counts, paths, bot scores and verified-crawler status. Building Adobe rules from that evidence means each rule maps to a confirmed offender with a paper trail, and reviewing them quarterly keeps the list honest. Blankitt Edge exists to produce exactly that evidence on Salesforce B2C Commerce.
Adobe Analytics is a trademark of Adobe Inc. Blankitt is an independent product and is not affiliated with Adobe. Documentation claims verified 10 July 2026; corrections welcome at [email protected].