[WAF] Detections section (#17027)

---------

Co-authored-by: marciocloudflare <[email protected]>

Author: 2 people

public/_redirects

@@ -1180,8 +1180,14 @@
 /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301
 
 # waf
-/waf/about/file-scanning/ /waf/about/content-scanning/ 301
-/waf/about/waf-ml/ /waf/about/waf-attack-score/ 301
+/waf/about/ /waf/concepts/ 301
+/waf/about/content-scanning/ /waf/detections/malicious-uploads/ 301
+/waf/about/content-scanning/get-started/ /waf/detections/malicious-uploads/get-started/ 301
+/waf/about/content-scanning/example-rules/ /waf/detections/malicious-uploads/example-rules/ 301
+/waf/about/content-scanning/api-calls/ /waf/detections/malicious-uploads/api-calls/ 301
+/waf/about/file-scanning/ /waf/detections/malicious-uploads/ 301
+/waf/about/waf-attack-score/ /waf/detections/attack-score/ 301
+/waf/about/waf-ml/ /waf/detections/attack-score/ 301
 /waf/alerts/ /waf/reference/alerts/ 301
 /waf/custom-rules/custom-firewall/ /waf/custom-rules/ 301
 /waf/custom-rules/custom-firewall/create-api/ /waf/custom-rules/create-api/ 301

src/content/changelogs/waf-general.yaml

@@ -10,8 +10,8 @@ entries:
   - publish_date: "2024-08-29"
     title: Fixed occasional attack score mismatches
     description: |-
-      Fixed an issue causing score mismatches between the global [WAF attack score](/waf/about/waf-attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives.
+      Fixed an issue causing score mismatches between the global [WAF attack score](/waf/detections/attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives.
   - publish_date: "2024-05-23"
     title: Improved detection capabilities
     description: |-
-      [WAF attack score](/waf/about/waf-attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers).
+      [WAF attack score](/waf/detections/attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers).

src/content/docs/reference-architecture/architectures/security.mdx

@@ -68,6 +68,11 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/managed_headers \
 				"enabled": false,
 				"has_conflict": false,
 				"conflicts_with": ["add_true_client_ip_headers"]
+			},
+			{
+				"id": "add_waf_credential_check_status_header",
+				"enabled": false,
+				"has_conflict": false
 			}
 		],
 		"managed_response_headers": [

src/content/docs/rules/transform/managed-transforms/configure.mdx

@@ -3,15 +3,15 @@ title: Managed Transforms
 pcx_content_type: concept
 sidebar:
   order: 4
-
 ---
 
 Managed Transforms allow you to perform common adjustments to HTTP request and response headers with the click of a button. The available adjustments include:
 
-* Add bot protection request headers.
-* Remove or add headers related to the visitor's IP address.
-* Add security-related response headers.
-* Remove "X-Powered-By" response headers.
+- Add bot protection request headers.
+- Remove or add headers related to the visitor's IP address.
+- Add request header when the WAF detects leaked credentials.
+- Add security-related response headers.
+- Remove "X-Powered-By" response headers.
 
 For a complete list, refer to [Available Managed Transforms](/rules/transform/managed-transforms/reference/).
 
@@ -20,8 +20,7 @@ When you enable a Managed Transform, Cloudflare internally deploys one or more T
 Enabled Managed Transforms will apply to all inbound requests for the zone.
 
 :::note
-
-The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. 
+The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard.
 :::
 
 ## Next steps

src/content/docs/rules/transform/managed-transforms/index.mdx

@@ -106,6 +106,25 @@ For example, consider an incoming request proxied by two CDNs (`CDN_1` and `CDN_
 With **Remove visitor IP headers** enabled, the `x-forwarded-for` header sent to the origin server will be:<br/>
 `x-forwarded-for: <THIRD_PARTY_CDN_2_IP>`
 
+### Add Leaked Credentials Checks Header
+
+Adds an `Exposed-Credential-Check` request header whenever the WAF detects leaked credentials in the incoming request.
+
+The header can have these values:
+
+| Header + Value                | Description                                                             | Availability       |
+| ----------------------------- | ----------------------------------------------------------------------- | ------------------ |
+| `Exposed-Credential-Check: 1` | Previously leaked username and password detected                        | Pro plan and above |
+| `Exposed-Credential-Check: 2` | Previously leaked username detected                                     | Enterprise plan    |
+| `Exposed-Credential-Check: 3` | Similar combination of previously leaked username and password detected | Enterprise plan    |
+| `Exposed-Credential-Check: 4` | Previously leaked password detected                                     | All plans          |
+
+You will only receive this managed header at your origin server if:
+
+- The [leaked credentials detection](/waf/detections/leaked-credentials/) in the WAF is turned on.
+- The **Add Leaked Credentials Checks Header** managed transform is turned on.
+- Your Cloudflare plan supports the type of credentials detection. For example, Free plans can only know if a password was previously leaked. In this situation, Cloudflare will add an `Exposed-Credential-Check: 4` header to the request.
+
 ## HTTP response headers
 
 ### Remove "X-Powered-By" headers

src/content/docs/rules/transform/managed-transforms/reference.mdx

@@ -16,7 +16,9 @@ Dynamic fields represent computed or derived values, typically related to threat
 
 - Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
 
-- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [WAF content scanning](/waf/about/content-scanning/) enabled.
+- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
+
+- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/).
 
 - The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
 
@@ -372,69 +374,69 @@ Example:
 
 When `true`, the request contains at least one [content object](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/).
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.has_malicious_obj`
 
 `cf.waf.content_scan.has_malicious_obj` `Boolean`
 
 When `true`, the request contains at least one malicious content object.
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.num_malicious_obj`
 
 `cf.waf.content_scan.num_malicious_obj` `Integer`
 
 The number of malicious content objects detected in the request (zero or greater).
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.has_failed`
 
 `cf.waf.content_scan.has_failed` `Boolean`
 
 When `true`, the file scanner was unable to scan all the content objects detected in the request.
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.num_obj`
 
 `cf.waf.content_scan.num_obj` `Integer`
 
 The number of content objects detected in the request (zero or greater).
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.obj_sizes`
 
 `cf.waf.content_scan.obj_sizes` `Array<Integer>`
 
 An array of file sizes in bytes, in the order the content objects were detected in the request.
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.obj_types`
 
 `cf.waf.content_scan.obj_types` `Array<String>`
 
 An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.content_scan.obj_results`
 
 `cf.waf.content_scan.obj_results` `Array<String>`
 
 An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
 
-For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/).
+For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
 ## `cf.waf.score`
 
 `cf.waf.score` `Number`
 
-A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/about/waf-attack-score/) to detect variants of attack patterns.
+A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
 
 ## `cf.waf.score.sqli`
 
@@ -460,6 +462,46 @@ An attack score from 1 to 99 classifying the command injection or Remote Code Ex
 
 The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
 
+## `cf.waf.auth_detected`
+
+`cf.waf.auth_detected` `Boolean`
+
+When `true`, the Cloudflare WAF detected authentication credentials in the request.
+
+Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+## `cf.waf.credential_check.password_leaked`
+
+`cf.waf.credential_check.password_leaked` `Boolean`
+
+When `true`, the password detected in the request was previously leaked.
+
+Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+## `cf.waf.credential_check.username_leaked`
+
+`cf.waf.credential_check.username_leaked` `Boolean`
+
+When `true`, the username detected in the request was previously leaked.
+
+Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+## `cf.waf.credential_check.username_and_password_leaked`
+
+`cf.waf.credential_check.username_and_password_leaked` `Boolean`
+
+When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
+
+Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+## `cf.waf.credential_check.username_password_similar`
+
+`cf.waf.credential_check.username_password_similar` `Boolean`
+
+When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
+
+Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
 ## `cf.worker.upstream_zone`
 
 `cf.worker.upstream_zone` `String`

src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx

@@ -1,7 +1,6 @@
 ---
 pcx_content_type: concept
 title: Concept
-
 ---
 
 ## Purpose
@@ -12,7 +11,7 @@ The purpose of a concept is to provide conceptual or descriptive information so
 
 instructional, descriptive, approachable, supportive
 
-## content\_type
+## content_type
 
 `concept`
 
@@ -51,6 +50,6 @@ Do not recreate information that's already available online. Instead, consider w
 
 [Load Balancing](/load-balancing/)
 
-[WAF](/waf/about/)
+[WAF](/waf/)
 
 [Magic Transit](/magic-transit/about/)

src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx

@@ -18,7 +18,7 @@ Use the Security Analytics dashboard to:
 - View the traffic distribution for your domain.
 - Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server).
 - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters.
-- Learn more about Cloudflare’s security scores (<GlossaryTooltip term="attack score" link="/waf/about/waf-attack-score/">attack score</GlossaryTooltip>, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/about/content-scanning/) results) with real data.
+- Learn more about Cloudflare’s security scores (<GlossaryTooltip term="attack score" link="/waf/detections/attack-score/">attack score</GlossaryTooltip>, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/detections/malicious-uploads/) results) with real data.
 - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic.
 
 If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products.
@@ -92,7 +92,7 @@ To apply the filters for an insight to the data displayed in the Security Analyt
 
 The **Attack likelihood**, **Bot likelihood**, and **Malicious uploads** sections display statistics related to WAF attack scores, bot scores, and WAF content scanning scores of incoming requests for the selected time frame.
 
-You can examine different traffic segments according to the current metric (attack, bot, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50).
+You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50).
 
 Additionally, you can use the slider tool below the chart to filter incoming requests according to the current metric. This allows you to filter traffic groups outside the predefined segments.
 
@@ -106,7 +106,7 @@ The main chart displays the following data for the selected time frame, accordin
   - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects.
   - **Served by origin**: Requests served by your origin server.
 
-- **Attack likelihood**: [WAF attack score](/waf/about/waf-attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_.
+- **Attack likelihood**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_.
 
 - **Bot likelihood**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, or _Likely human_.