37a867c485
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
267 lines
9.7 KiB
YAML
267 lines
9.7 KiB
YAML
# WAF Alert Rules for Cloudflare Mesh Observatory
|
|
# Phase 5B - Alerts & Escalation
|
|
|
|
groups:
|
|
- name: waf_alerts
|
|
interval: 30s
|
|
rules:
|
|
# ============================================
|
|
# CRITICAL - Massive Attack Detected
|
|
# ============================================
|
|
- alert: WAFMassiveAttack
|
|
expr: |
|
|
rate(cloudflare_waf_blocked_requests_total[5m]) > 1000
|
|
for: 2m
|
|
labels:
|
|
severity: critical
|
|
component: waf
|
|
playbook: waf-incident
|
|
annotations:
|
|
summary: "Massive attack detected - {{ $value | humanize }} blocks/sec"
|
|
description: |
|
|
WAF is blocking more than 1000 requests per second.
|
|
This indicates a significant attack in progress.
|
|
|
|
Consider enabling Under Attack Mode if not already active.
|
|
impact: "Potential service degradation under attack load"
|
|
current_mitigation: "WAF blocking enabled"
|
|
runbook_url: "https://wiki.internal/playbooks/waf-incident"
|
|
|
|
# ============================================
|
|
# CRITICAL - WAF Rule Bypass Detected
|
|
# ============================================
|
|
- alert: WAFRuleBypass
|
|
expr: cloudflare_waf_bypass_detected == 1
|
|
for: 1m
|
|
labels:
|
|
severity: critical
|
|
component: waf
|
|
playbook: waf-incident
|
|
security_incident: "true"
|
|
annotations:
|
|
summary: "WAF rule bypass detected for rule {{ $labels.rule_id }}"
|
|
description: |
|
|
Malicious traffic matching known attack patterns has bypassed
|
|
WAF rule {{ $labels.rule_id }}.
|
|
|
|
Attack type: {{ $labels.attack_type }}
|
|
Bypassed requests: {{ $labels.bypass_count }}
|
|
|
|
Review and tighten rule immediately.
|
|
runbook_url: "https://wiki.internal/playbooks/waf-incident"
|
|
|
|
# ============================================
|
|
# WARNING - Attack Spike
|
|
# ============================================
|
|
- alert: WAFAttackSpike
|
|
expr: |
|
|
rate(cloudflare_waf_blocked_requests_total[5m])
|
|
> 5 * avg_over_time(rate(cloudflare_waf_blocked_requests_total[5m])[24h:5m])
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "WAF block rate 5x above normal"
|
|
description: |
|
|
WAF is blocking significantly more requests than the 24-hour average.
|
|
Current rate: {{ $value | humanize }}/s
|
|
|
|
This may indicate an attack or new attack pattern.
|
|
|
|
# ============================================
|
|
# WARNING - SQL Injection Attempts
|
|
# ============================================
|
|
- alert: WAFSQLiAttack
|
|
expr: rate(cloudflare_waf_sqli_blocks_total[5m]) > 10
|
|
for: 2m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
attack_type: sqli
|
|
annotations:
|
|
summary: "SQL injection attack detected"
|
|
description: |
|
|
WAF is blocking SQL injection attempts at {{ $value | humanize }}/s.
|
|
Source IPs may need to be blocked at firewall level.
|
|
|
|
# ============================================
|
|
# WARNING - XSS Attempts
|
|
# ============================================
|
|
- alert: WAFXSSAttack
|
|
expr: rate(cloudflare_waf_xss_blocks_total[5m]) > 10
|
|
for: 2m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
attack_type: xss
|
|
annotations:
|
|
summary: "XSS attack detected"
|
|
description: |
|
|
WAF is blocking cross-site scripting attempts at {{ $value | humanize }}/s.
|
|
Review application input validation.
|
|
|
|
# ============================================
|
|
# WARNING - Bot Attack
|
|
# ============================================
|
|
- alert: WAFBotAttack
|
|
expr: rate(cloudflare_waf_bot_blocks_total[5m]) > 100
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
attack_type: bot
|
|
annotations:
|
|
summary: "High bot traffic detected"
|
|
description: |
|
|
WAF is blocking bot traffic at {{ $value | humanize }}/s.
|
|
Consider enabling Bot Fight Mode or stricter challenges.
|
|
|
|
# ============================================
|
|
# CRITICAL - Rate Limit Exhaustion
|
|
# ============================================
|
|
- alert: WAFRateLimitExhausted
|
|
expr: cloudflare_waf_rate_limit_triggered == 1
|
|
for: 1m
|
|
labels:
|
|
severity: critical
|
|
component: waf
|
|
annotations:
|
|
summary: "Rate limit triggered for {{ $labels.rule_name }}"
|
|
description: |
|
|
Rate limiting rule {{ $labels.rule_name }} has been triggered.
|
|
Source: {{ $labels.source_ip }}
|
|
Requests blocked: {{ $labels.blocked_count }}
|
|
|
|
Legitimate users may be affected.
|
|
|
|
# ============================================
|
|
# WARNING - WAF Rule Disabled
|
|
# ============================================
|
|
- alert: WAFRuleDisabled
|
|
expr: cloudflare_waf_rule_enabled == 0
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "WAF rule {{ $labels.rule_id }} is disabled"
|
|
description: |
|
|
WAF rule {{ $labels.rule_id }} ({{ $labels.rule_name }}) is currently disabled.
|
|
Verify this is intentional and not a misconfiguration.
|
|
|
|
# ============================================
|
|
# WARNING - WAF Mode Changed
|
|
# ============================================
|
|
- alert: WAFModeChanged
|
|
expr: changes(cloudflare_waf_mode[1h]) > 0
|
|
for: 0m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "WAF mode changed for zone {{ $labels.zone }}"
|
|
description: |
|
|
WAF operation mode has changed in the last hour.
|
|
New mode: {{ $labels.mode }}
|
|
Verify this was an authorized change.
|
|
|
|
# ============================================
|
|
# INFO - Under Attack Mode Active
|
|
# ============================================
|
|
- alert: UnderAttackModeActive
|
|
expr: cloudflare_zone_under_attack == 1
|
|
for: 0m
|
|
labels:
|
|
severity: info
|
|
component: waf
|
|
annotations:
|
|
summary: "Under Attack Mode is ACTIVE for {{ $labels.zone }}"
|
|
description: |
|
|
Under Attack Mode is currently enabled for zone {{ $labels.zone }}.
|
|
This adds a JavaScript challenge to all visitors.
|
|
Remember to disable when attack subsides.
|
|
|
|
# ============================================
|
|
# WARNING - Under Attack Mode Extended
|
|
# ============================================
|
|
- alert: UnderAttackModeExtended
|
|
expr: cloudflare_zone_under_attack == 1
|
|
for: 2h
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "Under Attack Mode active for 2+ hours"
|
|
description: |
|
|
Under Attack Mode has been active for {{ $labels.zone }} for more
|
|
than 2 hours. Verify it's still needed as it impacts user experience.
|
|
|
|
# ============================================
|
|
# CRITICAL - WAF Completely Disabled
|
|
# ============================================
|
|
- alert: WAFDisabled
|
|
expr: cloudflare_waf_enabled == 0
|
|
for: 5m
|
|
labels:
|
|
severity: critical
|
|
component: waf
|
|
annotations:
|
|
summary: "WAF is DISABLED for zone {{ $labels.zone }}"
|
|
description: |
|
|
The Web Application Firewall is completely disabled for {{ $labels.zone }}.
|
|
This leaves the zone unprotected against application-layer attacks.
|
|
|
|
Enable immediately unless there's a documented exception.
|
|
|
|
# ============================================
|
|
# WARNING - Low WAF Efficacy
|
|
# ============================================
|
|
- alert: WAFLowEfficacy
|
|
expr: |
|
|
cloudflare_waf_blocked_requests_total
|
|
/ cloudflare_waf_analyzed_requests_total < 0.001
|
|
for: 1h
|
|
labels:
|
|
severity: info
|
|
component: waf
|
|
annotations:
|
|
summary: "Low WAF block rate for {{ $labels.zone }}"
|
|
description: |
|
|
WAF is blocking very few requests (< 0.1%).
|
|
This might indicate rules are too permissive or
|
|
the zone is not receiving attack traffic.
|
|
|
|
# ============================================
|
|
# WARNING - Firewall Rule Missing
|
|
# ============================================
|
|
- alert: FirewallRuleMissing
|
|
expr: cloudflare_firewall_critical_rule_exists == 0
|
|
for: 5m
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "Critical firewall rule missing: {{ $labels.rule_name }}"
|
|
description: |
|
|
Expected firewall rule {{ $labels.rule_name }} is not configured.
|
|
This rule is marked as critical in the WAF baseline.
|
|
|
|
# ============================================
|
|
# WARNING - High False Positive Rate
|
|
# ============================================
|
|
- alert: WAFHighFalsePositives
|
|
expr: |
|
|
rate(cloudflare_waf_false_positives_total[1h])
|
|
/ rate(cloudflare_waf_blocked_requests_total[1h]) > 0.1
|
|
for: 1h
|
|
labels:
|
|
severity: warning
|
|
component: waf
|
|
annotations:
|
|
summary: "High WAF false positive rate"
|
|
description: |
|
|
WAF false positive rate exceeds 10%.
|
|
Current rate: {{ $value | humanizePercentage }}
|
|
Review and tune rules to reduce legitimate traffic blocking.
|