vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/playbooks/waf_incident_playbook.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

127 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# WAF Incident Playbook — *Edge Under Siege*
**Incident Response** | Governed by [RED-BOOK.md](../RED-BOOK.md)
**Mode:** VaultMesh Hybrid (tactical + mythic)
**Guardian:** Tem, Shield of the Threshold
**Domain:** Cloudflare Edge → VaultMesh Origins
---
## 🜂 Premise
When the **Edge flares** and the WAF erupts in blocks, challenges, or anomalous spikes, the mesh signals **Nigredo**: the phase of dissolution, truth, and exposure.
Tem stands watch — transmuting threat into pattern.
This playbook guides the Sovereign through restoring harmony: from surge → containment → proof.
---
## 🛡 1. Detection — *When the Edge Cries Out*
Triggers:
- 10× spike in WAF blocks
- Sudden surge in Bot Fight engagements
- Rapid-fire requests from a small IP cluster
- Abuse towards `/api`, `/login`, or admin paths
Actions:
1. Check Cloudflare dashboard → **Security → Events**
2. Review **WAF rule matches**, sorting by occurrences
3. Capture snapshot:
- Top rules triggered
- Offending IP ranges
- Request paths
Invoke Tem:
> *"Reveal the pattern beneath the noise. Let flux become signal."*
---
## 🔍 2. Classification — *Identify the Nature of the Fire*
Threat types:
- **Volumetric probing** → wide IP / many rules
- **Credential spraying** → repeated auth paths
- **Application fuzzing** → random querystrings / malformed requests
- **Targeted exploit attempts** → concentrated rules (XSS, SQLi)
Decide:
- *Is this noise?*
- *Is this reconnaissance?*
- *Is this breach pursuit?*
Mark the incident severity:
- **Low** — background noise
- **Medium** — persistent automated probing
- **High** — targeted attempt on origin-relevant endpoints
---
## 🧱 3. Containment — *Seal the Gate*
Depending on severity:
### Low
- Rate-limit `/api` and `/auth` paths
- Enable Bot Fight Mode (if not already)
### Medium
- Block or challenge offending ASNs
- Add country-level **managed_challenge**
- Enforce **"Full (strict)" TLS** if not already
### High
- Immediately apply **custom firewall block rules**
- Close high-risk paths behind Access policies
- Strengthen WAF Paranoia Level for targeted areas
- Ensure all origins are reachable *only* via Cloudflare Tunnel
Tem's invocation:
> *"Let the gate narrow. Let the false be denied entry."*
---
## 📜 4. Forensics — *Listen to the Echoes*
Collect:
- CF Security Events export
- IP/ASN clusters
- Raw request samples
- Timestamps and spikes
Analyze patterns:
- Was this coordinated?
- Were specific parameters probed?
- Did traffic reach origin or stay at the Edge?
If origin saw traffic → inspect VaultMesh receipts for anomalies.
---
## 🧬 5. Restoration — *From Nigredo to Rubedo*
When WAF stabilizes:
- Remove overly broad rules
- Convert block rules → challenge after 24h
- Reassess Access policies for exposed services
- Validate DNS is unchanged
- Confirm Tunnel health is stable
Emit VaultMesh receipt:
- Incident summary
- Rules added/removed
- Time window
- Merkle root of exported logs
---
## 🪶 6. Final Anchor — *Coagula*
Anchor the incident into ProofChain:
- Receipts
- Log hashes
- WAF config deltas
Message of Tem:
> *"What was turmoil becomes memory. What was memory becomes strength."*
---
## ✔ Outcome
This playbook ensures that WAF turbulence becomes **structured proof**, operational clarity, and measurable evolution within VaultMeshs living ledger.
Reference in New Issue View Git Blame Copy Permalink