# Security Invariant Alert Rules for Cloudflare Mesh Observatory # Phase 5B - Alerts & Escalation groups: - name: invariant_alerts interval: 60s rules: # ============================================ # CRITICAL - SSL Mode Downgrade # ============================================ - alert: SSLModeDowngraded expr: cloudflare_zone_ssl_mode != 1 # 1 = Full (Strict) for: 2m labels: severity: critical component: invariant invariant_name: ssl_strict_mode category: encryption frameworks: "SOC2,PCI-DSS,ISO27001" annotations: summary: "SSL mode is not Full (Strict) for {{ $labels.zone }}" description: | Zone {{ $labels.zone }} SSL mode has been changed from Full (Strict). Current mode: {{ $labels.ssl_mode }} This weakens TLS security and may allow MITM attacks. This is a compliance violation for multiple frameworks. impact: "Reduced TLS security, potential MITM vulnerability" runbook_url: "https://wiki.internal/invariants/ssl-mode" # ============================================ # CRITICAL - Always Use HTTPS Disabled # ============================================ - alert: HTTPSNotEnforced expr: cloudflare_zone_always_use_https == 0 for: 2m labels: severity: critical component: invariant invariant_name: always_use_https category: encryption frameworks: "SOC2,PCI-DSS,HIPAA" annotations: summary: "Always Use HTTPS disabled for {{ $labels.zone }}" description: | Zone {{ $labels.zone }} allows HTTP traffic. This may expose sensitive data in transit. impact: "Data transmitted over unencrypted connections" runbook_url: "https://wiki.internal/invariants/https-enforcement" # ============================================ # CRITICAL - TLS Version Below Minimum # ============================================ - alert: TLSVersionTooLow expr: cloudflare_zone_min_tls_version < 1.2 for: 2m labels: severity: critical component: invariant invariant_name: min_tls_version category: encryption frameworks: "PCI-DSS,NIST" annotations: summary: "Minimum TLS version below 1.2 for {{ $labels.zone }}" description: | Zone {{ $labels.zone }} allows TLS versions below 1.2. Current minimum: TLS {{ $labels.min_tls }} TLS 1.0 and 1.1 have known vulnerabilities. PCI-DSS requires TLS 1.2 minimum. impact: "Vulnerable TLS versions allowed" runbook_url: "https://wiki.internal/invariants/tls-version" # ============================================ # WARNING - HSTS Not Enabled # ============================================ - alert: HSTSNotEnabled expr: cloudflare_zone_hsts_enabled == 0 for: 5m labels: severity: warning component: invariant invariant_name: hsts_enabled category: encryption frameworks: "SOC2,OWASP" annotations: summary: "HSTS not enabled for {{ $labels.zone }}" description: | HTTP Strict Transport Security is not enabled for {{ $labels.zone }}. This allows SSL stripping attacks. runbook_url: "https://wiki.internal/invariants/hsts" # ============================================ # CRITICAL - Security Headers Missing # ============================================ - alert: SecurityHeadersMissing expr: cloudflare_zone_security_headers_score < 0.8 for: 5m labels: severity: warning component: invariant invariant_name: security_headers category: headers frameworks: "OWASP,SOC2" annotations: summary: "Security headers score below threshold for {{ $labels.zone }}" description: | Zone {{ $labels.zone }} security headers score: {{ $value }} Expected minimum: 0.8 Missing headers may include: CSP, X-Frame-Options, X-Content-Type-Options runbook_url: "https://wiki.internal/invariants/security-headers" # ============================================ # CRITICAL - Origin IP Exposed # ============================================ - alert: OriginIPExposed expr: cloudflare_origin_ip_exposed == 1 for: 1m labels: severity: critical component: invariant invariant_name: origin_hidden category: network frameworks: "SOC2" annotations: summary: "Origin IP may be exposed for {{ $labels.zone }}" description: | DNS or headers may be exposing the origin server IP. Exposed via: {{ $labels.exposure_method }} Attackers can bypass Cloudflare protection by attacking origin directly. impact: "Origin server exposed to direct attacks" runbook_url: "https://wiki.internal/invariants/origin-protection" # ============================================ # WARNING - Rate Limiting Not Configured # ============================================ - alert: RateLimitingMissing expr: cloudflare_zone_rate_limiting_rules == 0 for: 5m labels: severity: warning component: invariant invariant_name: rate_limiting category: protection frameworks: "SOC2,OWASP" annotations: summary: "No rate limiting rules for {{ $labels.zone }}" description: | Zone {{ $labels.zone }} has no rate limiting rules configured. This leaves the zone vulnerable to brute force attacks. runbook_url: "https://wiki.internal/invariants/rate-limiting" # ============================================ # CRITICAL - Authenticated Origin Pulls Disabled # ============================================ - alert: AuthenticatedOriginPullsDisabled expr: cloudflare_zone_authenticated_origin_pulls == 0 for: 5m labels: severity: warning component: invariant invariant_name: aop_enabled category: authentication frameworks: "SOC2,Zero-Trust" annotations: summary: "Authenticated Origin Pulls disabled for {{ $labels.zone }}" description: | Authenticated Origin Pulls is not enabled for {{ $labels.zone }}. Origin cannot verify requests come from Cloudflare. runbook_url: "https://wiki.internal/invariants/authenticated-origin-pulls" # ============================================ # WARNING - Bot Protection Disabled # ============================================ - alert: BotProtectionDisabled expr: cloudflare_zone_bot_management_enabled == 0 for: 5m labels: severity: warning component: invariant invariant_name: bot_management category: protection annotations: summary: "Bot management disabled for {{ $labels.zone }}" description: | Bot management is not enabled for {{ $labels.zone }}. Zone is vulnerable to automated attacks and scraping. runbook_url: "https://wiki.internal/invariants/bot-management" # ============================================ # CRITICAL - Access Policy Violation # ============================================ - alert: AccessPolicyViolation expr: cloudflare_access_policy_violations > 0 for: 1m labels: severity: critical component: invariant invariant_name: access_policy category: access_control frameworks: "SOC2,Zero-Trust,ISO27001" annotations: summary: "Access policy violations detected" description: | {{ $value }} access policy violations detected. Policy: {{ $labels.policy_name }} Review access logs for unauthorized access attempts. impact: "Potential unauthorized access" runbook_url: "https://wiki.internal/invariants/access-control" # ============================================ # WARNING - Browser Integrity Check Disabled # ============================================ - alert: BrowserIntegrityCheckDisabled expr: cloudflare_zone_browser_integrity_check == 0 for: 5m labels: severity: warning component: invariant invariant_name: browser_integrity_check category: protection annotations: summary: "Browser Integrity Check disabled for {{ $labels.zone }}" description: | Browser Integrity Check is disabled for {{ $labels.zone }}. This allows requests with suspicious headers. # ============================================ # WARNING - Email Obfuscation Disabled # ============================================ - alert: EmailObfuscationDisabled expr: cloudflare_zone_email_obfuscation == 0 for: 5m labels: severity: info component: invariant invariant_name: email_obfuscation category: privacy annotations: summary: "Email obfuscation disabled for {{ $labels.zone }}" description: | Email obfuscation is disabled. Email addresses on pages may be harvested by spam bots. # ============================================ # CRITICAL - Development Mode Active # ============================================ - alert: DevelopmentModeActive expr: cloudflare_zone_development_mode == 1 for: 5m labels: severity: warning component: invariant invariant_name: development_mode category: configuration annotations: summary: "Development mode active for {{ $labels.zone }}" description: | Development mode is active for {{ $labels.zone }}. This bypasses Cloudflare's cache and should only be used temporarily. Remember to disable after development is complete. # ============================================ # CRITICAL - Invariant Check Failure # ============================================ - alert: InvariantCheckFailed expr: cloudflare_invariant_check_status == 0 for: 5m labels: severity: critical component: invariant category: monitoring annotations: summary: "Invariant checker is failing" description: | The invariant checker script is not running successfully. Last success: {{ $labels.last_success }} Error: {{ $labels.error_message }} Security invariants are not being monitored. runbook_url: "https://wiki.internal/invariants/checker-troubleshooting"