diff --git a/src/content/docs/china-network/get-started.mdx b/src/content/docs/china-network/get-started.mdx index 37c512e3fa435e..29a00b14f667f1 100644 --- a/src/content/docs/china-network/get-started.mdx +++ b/src/content/docs/china-network/get-started.mdx @@ -3,10 +3,9 @@ title: Get started pcx_content_type: get-started sidebar: order: 2 - --- -## Step 1 — Contract required services and agree to supplemental terms +## 1. Contract required services and agree to supplemental terms 1. Ensure that you have a Cloudflare Enterprise plan. If you do not have an Enterprise plan yet, you must upgrade. 2. Add the Cloudflare China Network package (a separate subscription) to your Enterprise plan. @@ -14,7 +13,7 @@ sidebar: Contact your sales team for more information on these steps. -## Step 2 — Obtain ICP and vet domain content +## 2. Obtain ICP and vet domain content 1. [Obtain Internet Content Provider (ICP) filings or licenses](/china-network/concepts/icp/#obtain-an-icp-number) for all the apex domains you wish to onboard. @@ -24,13 +23,13 @@ Contact your sales team for more information on these steps. 4. Prepare the required information for JD Cloud to review the content on your domains. JD Cloud, a Cloudflare partner, is required to review and vet the content of all domains on their network before enabling them. You will need to provide the following information: - * Customer and company name. - * Domain name. - * ICP license/filing number. - * A general description of the content of each domain (for example, `Marketing website`). - * A signed Self Attestation letter (provided by your sales team). + - Customer and company name. + - Domain name. + - ICP license/filing number. + - A general description of the content of each domain (for example, `Marketing website`). + - A signed Self Attestation letter (provided by your sales team). -## Step 3 — Onboard your domains to the Cloudflare China Network +## 3. Onboard your domains to the Cloudflare China Network After content vetting is complete, [add your domains to Cloudflare](/fundamentals/setup/manage-domains/add-site/). diff --git a/src/content/docs/page-shield/best-practices/handle-an-alert.mdx b/src/content/docs/page-shield/best-practices/handle-an-alert.mdx index c017198e12225a..a6672e342fd674 100644 --- a/src/content/docs/page-shield/best-practices/handle-an-alert.mdx +++ b/src/content/docs/page-shield/best-practices/handle-an-alert.mdx @@ -7,12 +7,11 @@ sidebar: head: - tag: title content: Handle a Page Shield alert - --- If you receive a Page Shield alert, sometimes you need to perform some manual investigation to confirm the nature of the script. Use the guidance provided in this page as a starting point for your investigation. -## Step 1 - Understand what triggered the alert +## 1. Understand what triggered the alert Start by identifying the [detection system](/page-shield/how-it-works/malicious-script-detection/) that triggered the alert. A link is provided in the alert that will send you directly to the Page Shield dashboard to the relevant resource that needs reviewing. Alternatively, do the following: @@ -25,13 +24,13 @@ Start by identifying the [detection system](/page-shield/how-it-works/malicious- The details page will specify which detection system triggered the alert. Check the values of the following fields: -* **Malicious code** -* **Malicious URL** -* **Malicious domain** +- **Malicious code** +- **Malicious URL** +- **Malicious domain** Different detection mechanisms may consider the script malicious at the same time. This increases the likelihood of the detection not being a false positive. -## Step 2 - Find the page where the resource was detected +## 2. Find the page where the resource was detected If you received an alert for a potentially malicious script: @@ -45,27 +44,27 @@ If you received an alert for a potentially malicious connection: 2. Open the browser's developer tools to confirm that the connection is being made. You can check this in the developer tools' **Network** tab, searching for the target hostname of the connection. -If you find the script or connection, this means the script is being loaded (or the connection is being established) for all website visitors — proceed to [step 3](#step-3---check-the-script-reputation). +If you find the script or connection, this means the script is being loaded (or the connection is being established) for all website visitors — proceed to [step 3](#3-check-the-script-reputation). If you do not find the script being loaded or the connection being made, this could mean one of the following: -* The script is being loaded (or the connection is being made) by visitors' browser extensions. -* Your current state will not load the script or make the connection. Complex applications might load scripts and establish connections based on state. -* You are not in the correct geographic location (or similar condition). -* The attacker is only loading the script or making the connection for a percentage of visitors or visitors with specific browsers/signatures. +- The script is being loaded (or the connection is being made) by visitors' browser extensions. +- Your current state will not load the script or make the connection. Complex applications might load scripts and establish connections based on state. +- You are not in the correct geographic location (or similar condition). +- The attacker is only loading the script or making the connection for a percentage of visitors or visitors with specific browsers/signatures. In this case, in addition to the steps indicated below, the best approach is: -* From a safe virtual environment, use online search tools and search for the given resource. Review results and resource metadata, for example domain registration details; -* If in doubt, scan the application codebase for the resource and if found, clarify the purpose. +- From a safe virtual environment, use online search tools and search for the given resource. Review results and resource metadata, for example domain registration details; +- If in doubt, scan the application codebase for the resource and if found, clarify the purpose. -## Step 3 - Check the script reputation +## 3. Check the script reputation If Page Shield considers the resource’s domain a "malicious domain", it is likely that the domain does not have a good reputation. The domain may be known for hosting malware or for being used for phishing attacks. Usually, reviewing the domain/hostname is sufficient to understand why you received the alert. You can use tools like Cloudflare’s [Security Center Investigate](https://dash.cloudflare.com/?to=/:account/security-center/investigate) platform to help with this validation. If Cloudflare's internal systems classified the script as containing "malicious code", external tools may not confirm the detection you got from Page Shield, since the machine learning (ML) model being used is Cloudflare-specific technology. However, you can re-run Page Shield’s ML model against the script source code, by using Cloudflare’s [Security Center Analyze](https://dash.cloudflare.com/?to=/:account/security-center/investigate/analyze) tool to confirm the match. -## Step 4 (optional) - Analyze the script content +## 4. (Optional) Analyze the script content You could use a virtual machine to perform some of the following analysis: @@ -73,14 +72,14 @@ You could use a virtual machine to perform some of the following analysis: 2. Scan the script source code for any hostnames or IP addresses. 3. For each hostname or IP address you identified, use Cloudflare's Security Center Investigate platform to look up threat information and/or search online for potential Indicators of Compromise. -*** +--- ## Conclusion If a resource which triggered a malicious alert from Page Shield: -* Is actively present in your application -* Is being loaded from a malicious host or IP address, or has malicious code -* Has malicious hostnames or IP addresses in its source code, which may be obfuscated/encoded +- Is actively present in your application +- Is being loaded from a malicious host or IP address, or has malicious code +- Has malicious hostnames or IP addresses in its source code, which may be obfuscated/encoded You should investigate further, since these indicators can be a sign of an ongoing active compromise.