You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/waf/detections/attack-score.mdx
+17-12Lines changed: 17 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ sidebar:
6
6
label: Attack score
7
7
---
8
8
9
-
import { GlossaryTooltip } from"~/components";
9
+
import { GlossaryTooltip, Type } from"~/components";
10
10
11
11
The attack score [traffic detection](/waf/concepts/#detection-versus-mitigation) helps identify variations of known attacks and their malicious payloads. This detection complements [WAF Managed Rules](/waf/managed-rules/).
12
12
@@ -24,17 +24,22 @@ This feature is available to Enterprise customers. Business plans have access to
24
24
25
25
The Cloudflare WAF provides the following attack score fields:
26
26
27
-
| Score | Data type | Minimum plan required | Attack vector | Field |
| WAF Attack Score <br/> [`cf.waf.score`][1] <br/> <Typetext="Number" /> | A global score from 1–99 that combines the score of each WAF attack vector into a single score. | Enterprise |
30
+
| WAF SQLi Attack Score <br/> [`cf.waf.score.sqli`][2] <br/> <Typetext="Number" /> | A score from 1–99 classifying the [SQL injection][6] (SQLi) attack vector. | Enterprise |
31
+
| WAF XSS Attack Score <br/> [`cf.waf.score.xss`][3] <br/> <Typetext="Number" /> | A score from 1–99 classifying the [cross-site scripting][7] (XSS) attack vector. | Enterprise |
32
+
| WAF RCE Attack Score <br/> [`cf.waf.score.rce`][4] <br/> <Typetext="Number" /> | A score from 1–99 classifying the command injection or [remote code execution][8] (RCE) attack vector. | Enterprise |
33
+
| WAF Attack Score Class <br/> [`cf.waf.score.class`][5] <br/> <Typetext="String" /> | The attack score class of the current request, based on the WAF attack score. <br/> Possible values: `attack`, `likely_attack`, `likely_clean`, and `clean`. | Business or above |
You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/). Attack score fields of data type `Number` vary between `1` and `99` with the following meaning:
Copy file name to clipboardExpand all lines: src/content/docs/waf/detections/firewall-for-ai.mdx
+18-11Lines changed: 18 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ Firewall for AI is a detection that can help protect your services powered by <G
20
20
21
21
When enabled, the detection runs on incoming traffic, searching for any LLM prompts attempting to exploit the model.
22
22
23
-
Cloudflare will populate the existing [Firewall for AI fields](#fields) based on the scan results. You can check these results in the [Security Analytics](/waf/analytics/security-analytics/) dashboard by filtering on the `cf-llm`[managed endpoint label](/api-shield/management-and-monitoring/endpoint-labels/) and reviewing the detection results on your traffic. Additionally, you can use these fields in rule expressions ([custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/)) to protect your application against LLM abuse and data leaks.
23
+
Cloudflare will populate the existing [Firewall for AI fields](#firewall-for-ai-fields) based on the scan results. You can check these results in the [Security Analytics](/waf/analytics/security-analytics/) dashboard by filtering on the `cf-llm`[managed endpoint label](/api-shield/management-and-monitoring/endpoint-labels/) and reviewing the detection results on your traffic. Additionally, you can use these fields in rule expressions ([custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/)) to protect your application against LLM abuse and data leaks.
24
24
25
25
## Availability
26
26
@@ -86,7 +86,7 @@ Alternatively, create a custom rule like the one described in the next step usin
86
86
-**With response type**: Custom JSON
87
87
-**Response body**: `{ "error": "Your request was blocked. Please rephrase your request." }`
88
88
89
-
For additional examples, refer to [Example mitigation rules](#example-mitigation-rules). For a list of fields provided by Firewall for AI, refer to [Fields](#fields).
89
+
For additional examples, refer to [Example mitigation rules](#example-mitigation-rules). For a list of fields provided by Firewall for AI, refer to [Fields](#firewall-for-ai-fields).
90
90
91
91
<Detailsheader="Combine with other Rules language fields">
92
92
@@ -114,18 +114,25 @@ You can combine the previous expression with other [fields](/ruleset-engine/rule
114
114
115
115
</Details>
116
116
117
-
## Fields
117
+
## Firewall for AI fields
118
118
119
119
When enabled, Firewall for AI populates the following fields:
120
120
121
-
| Name in the dashboard | Field + Data type | Description |
| LLM PII Detected |[`cf.llm.prompt.pii_detected`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_detected/) <br/> <Typetext="Boolean"/> | Indicates whether any personally identifiable information (PII) has been detected in the LLM prompt included in the request. |
124
-
| LLM PII Categories |[`cf.llm.prompt.pii_categories`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/) <br/> <Typetext="Array<String>"/> | Array of string values with the personally identifiable information (PII) categories found in the LLM prompt included in the request.<br/>[Category list](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/)|
125
-
| LLM Content Detected |[`cf.llm.prompt.detected`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.detected/) <br/> <Typetext="Boolean "/> | Indicates whether Cloudflare detected an LLM prompt in the incoming request. |
126
-
| LLM Unsafe topic detected |[`cf.llm.prompt.unsafe_topic_detected`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_detected/) <br/> <Typetext="Boolean"/> | Indicates whether the incoming request includes any unsafe topic category in the LLM prompt. |
127
-
| LLM Unsafe topic categories |[`cf.llm.prompt.unsafe_topic_categories`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/) <br/> <Typetext="Array<String>"/> | Array of string values with the type of unsafe topics detected in the LLM prompt.<br/>[Category list](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/)|
128
-
| LLM Injection score |[`cf.llm.prompt.injection_score`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.injection_score/) <br/> <Typetext="Number"/> | A score from 1–99 that represents the likelihood that the LLM prompt in the request is trying to perform a prompt injection attack. |
| LLM PII detected <br/> [`cf.llm.prompt.pii_detected`][1] <br/> <Typetext="Boolean"/> | Indicates whether any personally identifiable information (PII) has been detected in the LLM prompt included in the request. |
124
+
| LLM PII categories <br/> [`cf.llm.prompt.pii_categories`][2] <br/> <Typetext="Array<String>"/> | Array of string values with the personally identifiable information (PII) categories found in the LLM prompt included in the request.<br/>[Category list](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/)|
125
+
| LLM Content detected <br/> [`cf.llm.prompt.detected`][3] <br/> <Typetext="Boolean "/> | Indicates whether Cloudflare detected an LLM prompt in the incoming request. |
126
+
| LLM Unsafe topic detected <br/> [`cf.llm.prompt.unsafe_topic_detected`][4] <br/> <Typetext="Boolean"/> | Indicates whether the incoming request includes any unsafe topic category in the LLM prompt. |
127
+
| LLM Unsafe topic categories <br/> [`cf.llm.prompt.unsafe_topic_categories`][5] <br/> <Typetext="Array<String>"/> | Array of string values with the type of unsafe topics detected in the LLM prompt.<br/>[Category list](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/)|
128
+
| LLM Injection score <br/> [`cf.llm.prompt.injection_score`][6] <br/> <Typetext="Number"/> | A score from 1–99 that represents the likelihood that the LLM prompt in the request is trying to perform a prompt injection attack. |
Copy file name to clipboardExpand all lines: src/content/docs/waf/detections/leaked-credentials/index.mdx
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,6 +7,8 @@ sidebar:
7
7
label: Leaked credentials
8
8
---
9
9
10
+
import { Type } from"~/components";
11
+
10
12
The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for credentials (usernames and passwords) previously leaked from [data breaches](https://www.cloudflare.com/learning/security/what-is-a-data-breach/).
11
13
12
14
:::note
@@ -96,13 +98,13 @@ For instructions on configuring a custom detection location, refer to [Get start
96
98
97
99
## Leaked credentials fields
98
100
99
-
| Field name in the dashboard | Field| Availability|
| Password Leaked <br/> [`cf.waf.credential_check.password_leaked`][1]<br/> <Typetext="Boolean" />| Indicates whether the password detected in the request was previously leaked. <br/> Available on all plans. |
104
+
| User and Password Leaked <br/> [`cf.waf.credential_check.username_and_password_leaked`][2]<br/> <Typetext="Boolean" /> | Indicates whether the username-password pair detected in the request were previously leaked. <br/> Requires a Pro plan or above. |
105
+
| Username Leaked <br/> [`cf.waf.credential_check.username_leaked`][3]<br/> <Typetext="Boolean" />| Indicates whether the username detected in the request was previously leaked. <br/> Requires an Enterprise plan. |
106
+
| Similar Password Leaked <br/> [`cf.waf.credential_check.username_password_similar`][4]<br/> <Typetext="Boolean" /> | Indicates whether a similar version of the username and password credentials detected in the request were previously leaked. <br/> Requires an Enterprise plan.|
107
+
| Authentication detected <br/> [`cf.waf.auth_detected`][5]<br/> <Typetext="Boolean" />| Indicates whether Cloudflare detected authentication credentials in the request. <br/> Requires an Enterprise plan. |
0 commit comments