[API Shield] Sequence custom rules (#23690)

* sequence custom rules

* desc

* bots seq rules

* waf

* old dash steps

* feedback

* Update src/content/partials/api-shield/sequence-custom-rules.mdx

Co-authored-by: marciocloudflare <[email protected]>

---------

Co-authored-by: marciocloudflare <[email protected]>

Author: 2 people

src/content/docs/api-shield/security/sequence-mitigation/custom-rules.mdx

@@ -24,7 +24,11 @@ Rules built using these custom rules are different from sequence mitigation rule
 
 <Render file="sequence-rules-availability" product="bots" />
 
-## Example rules
+## Build a sequence custom rule
+
+<Render file="sequence-custom-rules" />
+
+### Example rules
 
 Each saved endpoint will have an endpoint ID visible in its details page in Endpoint Management in the form of a UUID. The references below (`aaaaaaaa`, `bbbbbbbb`, and `cccccccc`) are the first eight characters of the endpoint ID.
 

src/content/docs/api-shield/security/sequence-mitigation/manage-sequence-rules.mdx

@@ -12,6 +12,10 @@ head:
 ---
 import { Steps, Tabs, TabItem } from "~/components"
 
+:::note
+Cloudflare recommends creating sequence rules using WAF custom rules. Refer to the [sequence custom rules documentation](/api-shield/security/sequence-mitigation/custom-rules/) for more information.
+:::
+
 ## Create a sequence rule
 
 <Tabs syncKey="dashNewNav">

src/content/docs/bots/additional-configurations/sequence-rules.mdx

@@ -16,9 +16,25 @@ Sequence rules is currently in private beta. If you would like to be included in
 - Your account must have the Fraud Detection subscription.
 - Each zone must configure the endpoints to track via Endpoint Management.
 
+You can [create a sequence custom rule via the Cloudflare dashboard](#create-a-sequence-custom-rule-via-the-cloudflare-dashboard) or [using the API](#manage-sequence-rules-via-the-api).
+
+---
+
+## Availability
+
+<Render file="sequence-rules-availability" />
+
+---
+
+## Build a sequence custom rule via the Cloudflare dashboard
+
+<Render file="sequence-custom-rules" product="api-shield" />
+
 ---
 
-## Enable sequence rules via the API
+## Manage sequence rules via the API
+
+### Enable sequence rules
 
 <Steps>
 1. [Create an API token](/fundamentals/api/get-started/create-token/) if you do not already have one. The API token must include the _Zone_ > _Fraud Detection_ > _Edit_ permission.
@@ -48,18 +64,38 @@ When you enable sequence rules, Cloudflare will start setting cookies for all re
 
 Once you have enabled sequence rules, the rules fields will be populated and you can now use the new fields in your rules.
 
+### Disable sequence rules
+
+Disabling sequence rules will stop the rules fields from being populated. If you still have rules deployed which depend on these fields, those rules may not behave as intended. Remove or disable any rules that rely on sequence fields before disabling sequence rules.
+
+To disable sequence rules:
+
+<Steps>
+1. [Create an API token](/fundamentals/api/get-started/create-token/) if you do not already have one. The API token must include the _Zone_ > _Fraud Detection_ > _Edit_ permission.
+2. [Get the zone ID](/fundamentals/account/find-account-and-zone-ids/) for the zone(s) where you want to enable sequence rules.
+3. [Add the endpoints](/api-shield/management-and-monitoring/) that you want to track in your sequence rules using API Shield's Endpoint Management and make note of the short ID.
+4. Disable the sequence cookie using your API token, zone ID, and by setting `enabled` to `false` on the following API call.
+</Steps>
+
+:::note
+The short ID will not be visible until your account team has enabled this feature for you. 
+:::
+
+```bash title="API call"
+curl --request PUT https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
+--header "Authorization: Bearer <API_TOKEN>" \
+--data '{"enabled": false}'
+```
+
 ---
 
+
 ## Rules fields
 
 Sequence rules introduces three new fields to Cloudflare Rules. All of these fields reference operations by their short ID. Accounts that have the Fraud Detection subscription can refer to the short ID by viewing the endpoint details via **API Shield** > **Endpoint Management** in the Cloudflare dashboard. Accounts without Fraud Detection do not have access to this field.
 
 Cloudflare only stores up to the 10 most recent operations in a sequence for up to one hour. If there are more than 10 operations in the sequence, older operations will be dropped and will not be included in the following fields. Similarly, if an operation happened more than one hour ago, it will also not be included in the following fields.
 
-## Availability
-
-<Render file="sequence-rules-availability" />
-
 ### Example rules
 
 The customer must request endpoint A before endpoint B.
@@ -86,30 +122,6 @@ cf.sequence.current_op eq "bbbbbbbb" and
 not cf.sequence.msec_since_op["aaaaaaaa"] ge 1000
 ```
 
----
-
-## Disable sequence rules via the API
-
-Disabling sequence rules will stop the rules fields from being populated. If you still have rules deployed which depend on these fields, those rules may not behave as intended. Remove or disable any rules that rely on sequence fields before disabling sequence rules.
-
-To disable sequence rules:
-
-<Steps>
-1. [Create an API token](/fundamentals/api/get-started/create-token/) if you do not already have one. The API token must include the _Zone_ > _Fraud Detection_ > _Edit_ permission.
-2. [Get the zone ID](/fundamentals/account/find-account-and-zone-ids/) for the zone(s) where you want to enable sequence rules.
-3. [Add the endpoints](/api-shield/management-and-monitoring/) that you want to track in your sequence rules using API Shield's Endpoint Management and make note of the short ID.
-4. Disable the sequence cookie using your API token, zone ID, and by setting `enabled` to `false` on the following API call.
-</Steps>
-
-:::note
-The short ID will not be visible until your account team has enabled this feature for you. 
-:::
-
-```bash title="API call"
-curl --request PUT https://api.cloudflare.com/client/v4/zones/{zone_id}/fraud_detection/sequence_cookies \
---header "Authorization: Bearer <API_TOKEN>" \
---data '{"enabled": false}'
-```
 
 ---
 

src/content/docs/waf/custom-rules/use-cases/sequence-custom-rules.mdx

@@ -0,0 +1,10 @@
+---
+pcx_content_type: configuration
+title: Build a sequence rule within custom rules
+---
+
+import { Render } from "~/components";
+
+You can build an [API sequence rule](/api-shield/security/sequence-mitigation/custom-rules/) via the Cloudflare dashboard.
+
+<Render file="sequence-custom-rules" product="api-shield" />

src/content/partials/api-shield/sequence-custom-rules.mdx

@@ -0,0 +1,54 @@
+---
+{}
+
+---
+
+import { Steps, Tabs, TabItem } from "~/components"
+
+<Tabs syncKey="dashNewNav">
+    <TabItem label="Old dashboard">
+        <Steps>
+            1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+            2. Go to **Security** > **WAF** > **Custom rules**.
+            3. To create a new empty rule, select **Create rule**.
+            4. Enter a descriptive name for the rule in **Rule name**.
+            5. Under **When incoming requests match**, use the **Field** drop-down list and select:
+                - Current Operation
+                - Previous Operations
+                - Elapsed time
+            6. Under **Value**, build a sequence by selecting a hostname for the sequence.
+            7. Select the checkbox for each endpoint in the order that you want them to appear in the sequence.
+            8. Set the time to complete.
+            9. Select **Save**.
+            10. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting *Block* tells Cloudflare to refuse requests that match the conditions you specified.
+            11. (Optional) If you selected the *Block* action, you can configure a custom response.
+            12. Under **Place at**, select the order of when the rule will fire.
+            13. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+        </Steps>
+    </TabItem>
+    <TabItem label="New dashboard" icon="rocket">
+        <Steps>
+            1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain.
+            2. Go to **Security** > **Security rules**. 
+            3. To create a new empty rule, select **Create rule** > **Custom rules**.
+            4. Enter a descriptive name for the rule in **Rule name**.
+            5. Under **When incoming requests match**, use the **Field** drop-down list to filter by **Sequences** and select from:
+                - Current Operation
+                - Previous Operations
+                - Elapsed time
+            6. Under **Value**, select the edit icon to use Builder and build a sequence on the side panel.
+            7. Under **Select a hostname for this sequence**, choose all or a specific hostname from the dropdown list. Optionally, you can use the search bar to search for a specific hostname.
+            8. From the **Methods** dropdown list, choose all methods or a specific request method.
+            8. Select the checkbox for each endpoint in the order that you want them to appear in the sequence.
+            8. Set the time to complete.
+            9. Select **Save**.
+            10. Under **Then take action**, select the rule action in the **Choose action** dropdown. For example, selecting *Block* tells Cloudflare to refuse requests that match the conditions you specified.
+            11. (Optional) If you selected the *Block* action, you can configure a custom response.
+            12. Under **Place at**, select the order of when the rule will fire.
+            13. To save and deploy your rule, select **Deploy**. If you are not ready to deploy your rule, select **Save as Draft**.
+        </Steps>
+            :::note
+            The fields in the custom rule are populated as a grouped sequence based on the values that you entered on Builder.
+            :::
+    </TabItem>
+</Tabs>