[DDoS Protection/Network Analytics] Clarify log behavior (#19416)

patriciasantaana · hyperlint-ai[bot] · web-flow · commit 74623aae980b · 2025-01-27T08:13:28.000-08:00
* clarify log behavior

* remove import

* Update src/content/docs/analytics/network-analytics/configure/displayed-data.mdx

Co-authored-by: hyperlint-ai[bot] &lt;154288675+hyperlint-ai[bot]@users.noreply.github.com&gt;

---------

Co-authored-by: hyperlint-ai[bot] &lt;154288675+hyperlint-ai[bot]@users.noreply.github.com&gt;
diff --git a/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx b/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx
@@ -67,3 +67,18 @@ Note that some filters will not be added to the new Magic Firewall rule definiti
 Enable the **Show annotations** toggle to show or hide annotations for advertised/withdrawn IP prefix events in the **Network Analytics** view. Select each annotation to get more details.
 
 ![Network Analytics chart displaying IP prefix-related annotations.](~/assets/images/analytics/network-analytics/view-annotations.png)
+
+## View logged or monitored traffic
+
+[Network DDoS managed rules](/ddos-protection/managed-rulesets/network/) and [Advanced DDoS Protection systems](/ddos-protection/advanced-ddos-systems/overview/) provide a `log` or `monitoring` mode that does not drop traffic. These `log` and `monitoring` mode events are based on **Verdict** and **Outcome**/**Action** fields.
+
+To filter for these traffic events:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account.
+2. Go to **Analytics & Logs** > **Network Analytics** > **DDoS managed rules**.
+3. Select **Add filter**.
+    - Set `Verdict equals drop`.
+    - Set `Action equals pass`.
+4. Select **Apply**. 
+
+By setting `verdict` to `drop` and `outcome` as `pass`, we are filtering for traffic that was marked as a detection (that is, verdict was `drop`) but was not dropped (for example, outcome was `pass`).
diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx
@@ -58,7 +58,8 @@ Besides defining rules with one of the above scopes, you must also select the [p
 The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled.
 
 - **Monitoring**
-  - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration.
+  - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. <Render file="log-and-monitor-behavior-link" />
+
 
 - **​​Mitigation (Enabled)**
   - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist).
@@ -99,7 +100,9 @@ The default rate sensitivity and recommended setting is _Low_. You should only i
 
 ## Filter
 
-<Render file="atp-filter-definition" /> The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional.
+<Render file="atp-filter-definition" /> 
+
+The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional.
 
 Each system component has its own filters. You can configure a filter for each execution mode:
 
diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx
@@ -26,7 +26,7 @@ The action performed for packets that match specific rules of Cloudflare's DDoS
 
 - **Log**
   - API value: `"log"`.
-  - Only available on Enterprise plans. Logs requests that match the expression of a rule detecting network layer DDoS attacks. Recommended for validating a rule before committing to a more severe action.
+  - Only available on Enterprise plans. Logs requests that match the expression of a rule detecting network layer DDoS attacks. Recommended for validating a rule before committing to a more severe action. <Render file="log-and-monitor-behavior-link" />
 
 - **Block**
   - API value: `"block"`.
diff --git a/src/content/partials/ddos-protection/log-and-monitor-behavior-link.mdx b/src/content/partials/ddos-protection/log-and-monitor-behavior-link.mdx
@@ -0,0 +1,5 @@
+---
+{}
+---
+
+Refer to the [Analytics documentation](/analytics/network-analytics/configure/displayed-data/#view-logged-or-monitored-traffic) for more information on how to view logged or monitored traffic.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +{}
 +---
++
 +Refer to the [Analytics documentation](/analytics/network-analytics/configure/displayed-data/#view-logged-or-monitored-traffic) for more information on how to view logged or monitored traffic.