# WAF Alert Rules for Cloudflare Mesh Observatory # Phase 5B - Alerts & Escalation groups: - name: waf_alerts interval: 30s rules: # ============================================ # CRITICAL - Massive Attack Detected # ============================================ - alert: WAFMassiveAttack expr: | rate(cloudflare_waf_blocked_requests_total[5m]) > 1000 for: 2m labels: severity: critical component: waf playbook: waf-incident annotations: summary: "Massive attack detected - {{ $value | humanize }} blocks/sec" description: | WAF is blocking more than 1000 requests per second. This indicates a significant attack in progress. Consider enabling Under Attack Mode if not already active. impact: "Potential service degradation under attack load" current_mitigation: "WAF blocking enabled" runbook_url: "https://wiki.internal/playbooks/waf-incident" # ============================================ # CRITICAL - WAF Rule Bypass Detected # ============================================ - alert: WAFRuleBypass expr: cloudflare_waf_bypass_detected == 1 for: 1m labels: severity: critical component: waf playbook: waf-incident security_incident: "true" annotations: summary: "WAF rule bypass detected for rule {{ $labels.rule_id }}" description: | Malicious traffic matching known attack patterns has bypassed WAF rule {{ $labels.rule_id }}. Attack type: {{ $labels.attack_type }} Bypassed requests: {{ $labels.bypass_count }} Review and tighten rule immediately. runbook_url: "https://wiki.internal/playbooks/waf-incident" # ============================================ # WARNING - Attack Spike # ============================================ - alert: WAFAttackSpike expr: | rate(cloudflare_waf_blocked_requests_total[5m]) > 5 * avg_over_time(rate(cloudflare_waf_blocked_requests_total[5m])[24h:5m]) for: 5m labels: severity: warning component: waf annotations: summary: "WAF block rate 5x above normal" description: | WAF is blocking significantly more requests than the 24-hour average. Current rate: {{ $value | humanize }}/s This may indicate an attack or new attack pattern. # ============================================ # WARNING - SQL Injection Attempts # ============================================ - alert: WAFSQLiAttack expr: rate(cloudflare_waf_sqli_blocks_total[5m]) > 10 for: 2m labels: severity: warning component: waf attack_type: sqli annotations: summary: "SQL injection attack detected" description: | WAF is blocking SQL injection attempts at {{ $value | humanize }}/s. Source IPs may need to be blocked at firewall level. # ============================================ # WARNING - XSS Attempts # ============================================ - alert: WAFXSSAttack expr: rate(cloudflare_waf_xss_blocks_total[5m]) > 10 for: 2m labels: severity: warning component: waf attack_type: xss annotations: summary: "XSS attack detected" description: | WAF is blocking cross-site scripting attempts at {{ $value | humanize }}/s. Review application input validation. # ============================================ # WARNING - Bot Attack # ============================================ - alert: WAFBotAttack expr: rate(cloudflare_waf_bot_blocks_total[5m]) > 100 for: 5m labels: severity: warning component: waf attack_type: bot annotations: summary: "High bot traffic detected" description: | WAF is blocking bot traffic at {{ $value | humanize }}/s. Consider enabling Bot Fight Mode or stricter challenges. # ============================================ # CRITICAL - Rate Limit Exhaustion # ============================================ - alert: WAFRateLimitExhausted expr: cloudflare_waf_rate_limit_triggered == 1 for: 1m labels: severity: critical component: waf annotations: summary: "Rate limit triggered for {{ $labels.rule_name }}" description: | Rate limiting rule {{ $labels.rule_name }} has been triggered. Source: {{ $labels.source_ip }} Requests blocked: {{ $labels.blocked_count }} Legitimate users may be affected. # ============================================ # WARNING - WAF Rule Disabled # ============================================ - alert: WAFRuleDisabled expr: cloudflare_waf_rule_enabled == 0 for: 5m labels: severity: warning component: waf annotations: summary: "WAF rule {{ $labels.rule_id }} is disabled" description: | WAF rule {{ $labels.rule_id }} ({{ $labels.rule_name }}) is currently disabled. Verify this is intentional and not a misconfiguration. # ============================================ # WARNING - WAF Mode Changed # ============================================ - alert: WAFModeChanged expr: changes(cloudflare_waf_mode[1h]) > 0 for: 0m labels: severity: warning component: waf annotations: summary: "WAF mode changed for zone {{ $labels.zone }}" description: | WAF operation mode has changed in the last hour. New mode: {{ $labels.mode }} Verify this was an authorized change. # ============================================ # INFO - Under Attack Mode Active # ============================================ - alert: UnderAttackModeActive expr: cloudflare_zone_under_attack == 1 for: 0m labels: severity: info component: waf annotations: summary: "Under Attack Mode is ACTIVE for {{ $labels.zone }}" description: | Under Attack Mode is currently enabled for zone {{ $labels.zone }}. This adds a JavaScript challenge to all visitors. Remember to disable when attack subsides. # ============================================ # WARNING - Under Attack Mode Extended # ============================================ - alert: UnderAttackModeExtended expr: cloudflare_zone_under_attack == 1 for: 2h labels: severity: warning component: waf annotations: summary: "Under Attack Mode active for 2+ hours" description: | Under Attack Mode has been active for {{ $labels.zone }} for more than 2 hours. Verify it's still needed as it impacts user experience. # ============================================ # CRITICAL - WAF Completely Disabled # ============================================ - alert: WAFDisabled expr: cloudflare_waf_enabled == 0 for: 5m labels: severity: critical component: waf annotations: summary: "WAF is DISABLED for zone {{ $labels.zone }}" description: | The Web Application Firewall is completely disabled for {{ $labels.zone }}. This leaves the zone unprotected against application-layer attacks. Enable immediately unless there's a documented exception. # ============================================ # WARNING - Low WAF Efficacy # ============================================ - alert: WAFLowEfficacy expr: | cloudflare_waf_blocked_requests_total / cloudflare_waf_analyzed_requests_total < 0.001 for: 1h labels: severity: info component: waf annotations: summary: "Low WAF block rate for {{ $labels.zone }}" description: | WAF is blocking very few requests (< 0.1%). This might indicate rules are too permissive or the zone is not receiving attack traffic. # ============================================ # WARNING - Firewall Rule Missing # ============================================ - alert: FirewallRuleMissing expr: cloudflare_firewall_critical_rule_exists == 0 for: 5m labels: severity: warning component: waf annotations: summary: "Critical firewall rule missing: {{ $labels.rule_name }}" description: | Expected firewall rule {{ $labels.rule_name }} is not configured. This rule is marked as critical in the WAF baseline. # ============================================ # WARNING - High False Positive Rate # ============================================ - alert: WAFHighFalsePositives expr: | rate(cloudflare_waf_false_positives_total[1h]) / rate(cloudflare_waf_blocked_requests_total[1h]) > 0.1 for: 1h labels: severity: warning component: waf annotations: summary: "High WAF false positive rate" description: | WAF false positive rate exceeds 10%. Current rate: {{ $value | humanizePercentage }} Review and tune rules to reduce legitimate traffic blocking.