Our next-gen architecture is built to help you make sense of your ever-growing data.

Watch a 4-min demo video!

Quick Start Security for Cloudflare WAF

thank you

Thank you!

We got your information.

Cloudflare WAF
Cloudflare WAF icon

Coralogix Extension For Cloudflare WAF Includes:

Dashboards - 1

Gain instantaneous visualization of all your Cloudflare WAF data.

Cloudflare WAF Insights
Cloudflare WAF Insights

Alerts - 21

Stay on top of Cloudflare WAF key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Cloudflare - WAF - Multiple Unknown Actions From Unique IPs

Alert Description: This alert triggers when Cloudflare's Web Application Firewall (WAF) logs multiple distinct "unknown" actions from a single IP address within a short timeframe. Note: Fine-tune the threshold based on your environment's traffic patterns. Impact: Successful exploitation of an unknown vulnerability or misconfiguration could lead to data breaches, service disruptions, or unauthorized access. Multiple distinct "unknown" actions from the same IP might indicate a higher risk of malicious probing or targeted attacks. Mitigation: Following actions can be taken to mitigate/troubleshoot this behavior: * Investigate the affected IP address and the specific types of "unknown" actions triggered. * Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. * Consider temporarily blocking the offending IP if the activity seems malicious. * Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE Tactic and Technique: T1190 (Exploit Public-Facing Application)

Cloudflare - WAF - More Than Usual 4Xx Edge Response Errors (At Least 50)

This alert detects when 4xx edge response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The edge response status code is an HTTP response code sent from Cloudflare to the client (end user). Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 4xx edge response, over 15% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive number of 4xx edge responses within a specific interval indicates that a threat actor is sending malicious/bad requests and could indicate a DoS/DDoS kind of attack. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further. MITRE Tactic: TA0040 MITRE Technique: T1498

Cloudflare - WAF - Possible DoS Attack Detected (Single Host Queried by Multiple IP Addresses )

This alert triggers when Cloudflare detects a Layer 7 DDoS (L7 DDoS) attack. Cloudflare''s Layer 7 Distributed Denial of Service (L7 DDoS) protection detects and mitigates attacks targeting the application layer of a web application. These attacks aim to overwhelm the application or its infrastructure by flooding it with a high volume of HTTP requests. Impact Layer 7 DDoS attacks aim to make web applications unavailable by overwhelming the server with requests. This can lead to significant downtime, affecting the availability of the service to legitimate users. Mitigation - Activate DDoS Mitigation Tools: Use DDoS mitigation tools or services to filter and block malicious traffic. - Investigate IP Addresses: Investigate the IP addresses triggering the DDoS attack. - Analyze WAF Logs: Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. - Block Offending IPs: Consider temporarily blocking the offending IP addresses if the activity appears malicious. - Update WAF Rules: Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE ATT&CK Framework Tactic: TA0040 Technique:T1498'

Cloudflare - WAF - Multiple Host Queried by Single IP

This alert triggers when an IP address queries more than unique 10 hosts in 10 mins. This might be an indicator of DosS attack. Impact This attacks aim to make web applications unavailable by overwhelming the server with requests. This can lead to significant downtime, affecting the availability of the service to legitimate users. Mitigation - Activate DDoS Mitigation Tools: Use DDoS mitigation tools or services to filter and block malicious traffic. - Investigate IP Addresses: Investigate the IP addresses triggering the DDoS attack. - Analyze WAF Logs: Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. - Block Offending IPs: Consider temporarily blocking the offending IP addresses if the activity appears malicious. - Update WAF Rules: Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE ATT&CK Framework Tactic: TA0040 Technique:T1498'

Cloudflare - WAF - DDoS Attack Detected

'Summary This alert triggers when Cloudflare detects a Layer 7 DDoS (L7 DDoS) attack. Cloudflare''s Layer 7 Distributed Denial of Service (L7 DDoS) protection detects and mitigates attacks targeting the application layer of a web application. These attacks aim to overwhelm the application or its infrastructure by flooding it with a high volume of HTTP requests. Impact Layer 7 DDoS attacks aim to make web applications unavailable by overwhelming the server with requests. This can lead to significant downtime, affecting the availability of the service to legitimate users. Mitigation - Activate DDoS Mitigation Tools: Use DDoS mitigation tools or services to filter and block malicious traffic. - Investigate IP Addresses: Investigate the IP addresses triggering the DDoS attack. - Analyze WAF Logs: Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. - Block Offending IPs: Consider temporarily blocking the offending IP addresses if the activity appears malicious. - Update WAF Rules: Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE ATT&CK Framework Tactic: TA0040 Technique:T1498'

Cloudflare - WAF - Brute Force on Login URLs

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as: Account compromise, Privilege escalation, Data breach, Resource exhaustion, Weakened security posture. Mitigation If the the aggregated logs show actual login URLs that match your web applications login, check if the requests intercepted at the Cloudflare edge. If not, consider blocking the offending IP on the Cloudflare WAF. MITRE Tactic: TA0006 MITRE Technique: T1110

Cloudflare - WAF - SQLi Attack

This alert detects when an SQL Injection (SQLi) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent SQLi attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

Cloudflare - WAF - High Volume of Bot Requests

This alert detects high volume of bot requests. A bot is an autonomous program on a network that can interact with computer systems or users, imitating or replacing a human user's behavior, and performing repetitive tasks. Bots can be divided into 2 categories: 1. Good bots - bots that are useful to businesses they interact with, e.g. search engine bots like Googlebot, Bingbot, or bots that operate on social media platforms like Facebook Bot. 2. Bad bots - bots that are designed to perform malicious actions, ultimately hurting businesses, e.g. credential stuffing bots, third-party scraping bots, spam bots, etc. Impact Threat actors can send a high volume of bot requests to the web servers to either disrupt the normal operations of a business or to extract confidential information. Mitigation Check the nature of the bot. If the bot is not from the good bots category, investigate it further. MITRE Tactic: TA0042 MITRE Technique: T1583

Cloudflare - WAF - Possible Information Disclosure

This alert detects when a successful HTTP GET request (2XX response) targets a URL that ends with a set of specific file extension (such as txt files) that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the mentioned file extensions). File extensions can be added/removed and match condition can be tuned to lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for individuals and organizations, which can result in a data and privacy breach. Mitigation Investigate URLs and confirm whether they are legitimate and part of the web application normal operation and purpose. If not, consider blocking the client IP on the WAF MITRE Tactic: TA0009 MITRE Technique: T1048

Cloudflare - WAF - More Than Usual 4Xx Origin Response Errors (At Least 50)

This alert detects when 4xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 50 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The origin response status code is an HTTP response code sent from the origin server to Cloudflare. Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 4xx origin response, over 15% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive number of 4xx status codes could impact the normal business operations of an organization. Usually, the purpose behind this kind of attack is to tarnish the image of an organization by making its web servers inaccessible to legitimate users. Mitigation Check the exact status code generated and investigate it further to understand its cause. Please see the below link for detailed mitigations for different 4xx errors: https://community.cloudflare.com/t/community-tip-fixing-4xx-errors/68457 MITRE Tactic: TA0040 MITRE Technique: T1498

Cloudflare - WAF - High Error Ratio of 5Xx Origin Response, Over 5% in 30Min

This alert detects when the 5xx origin response error codes exceed 5% of the total count of origin response status codes in 30 minutes. In other words, this alert will calculate the ratio between error code 5xx to the overall number of response codes in 30 minutes. If the ratio exceeds 5%, it will then be triggered. Here, the origin response indicates that the error response was generated by your origin web server. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. Please see the below link for more details on the mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

Cloudflare - WAF - A New Client Request Host Detected

This alert detects when a new host is requested by the client. Please note that this alert will be active (after being deployed) after the configured alert time window which in this case is 7 days. This is in order for the algorithm to train on the new values for the key tracked, capture the baseline as well as prevent false notifications. Impact After threat actors have gained access to your account, they can request new hosts on behalf of the legit users and can further perform malicious operations. Mitigation Check with the user who initiated this request. If the user is unaware of the activity, investigate it further. MITRE Tactic: TA0001 MITRE Technique: T1190

Cloudflare - WAF - Potential SQLi Attack

This alert will trigger in an event of a large amount of logs containing Cloudflare WAF SQLi Attack Score values that indicate an attack (score between 1 to 20) Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

Cloudflare - WAF - Common Vulnerability Attack

This alert fires when logs containing triggered Cloudflare WAF rules have any mention of a CVE over a determined period of time in the context of a single IP address. Impact Depending on mentioned CVE, requires investigation. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes.

Cloudflare - WAF - XSS Attack

This alert detects when a Cross Site Scripting (XSS) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent XSS attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

Cloudflare - WAF - More Than Usual 5Xx Origin Response Errors (At Least 50)

This alert detects when 5xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Here, the origin response indicates that the error response was generated by your origin web server.nnNote: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 5xx origin response, over 5% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. Please see the below link for more details on the mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

Cloudflare - WAF - More Than Usual 5Xx Edge Response Errors (At Least 50)

This alert detects when 5xx edge response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 50 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The edge response status code is an HTTP response code sent from Cloudflare to the client (end user). Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 5xx edge response, over 5% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Check the exact status code generated and investigate it further to understand its cause. Please see the below link for detailed mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

Cloudflare - WAF - Remote Code Execution Attack

This alert detects when a Remote Code Execution (RCE) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent RCE attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

Cloudflare - WAF - Potential RCE Attack

This alert will trigger in an event of a large amount of logs containing Cloudflare WAF RCE Attack Score values that indicate an attack (score between 1 to 20) Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

Cloudflare - WAF - Possible Bypass

This alert detects based on specific logic that may indicate that the Cloudflare WAF is NOT BLOCKING potentially malicious requests, based Cloudflare WAF Attack Score indicating an attack. The alert will trigger if WAF Action is "unknown" AND NOT "simulate" AND WAF Attack Score is between 1 and 50, indicating an attack or likely attack. Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact Context dependent, in most cases this alert can show payloads that bypass the Cloudflare WAF or a zero day attack. Mitigation Investigate further by examining the source IPs, request URLs and edge and origin response codes.

Cloudflare - WAF Specific Rule ID - Custom SRC

This alert is to monitor logs that triggering by this ruleid: bb3331eb24034508a5c274a6d85f8908 Please see Zendesk ticket number: 7795

Integration

Learn more about Coralogix's out-of-the-box integration with Cloudflare WAF in our documentation.

Read More
Schedule Demo