diff --git a/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx b/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx index cd357de56989835..253a06b964231be 100644 --- a/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx +++ b/src/content/docs/analytics/network-analytics/configure/displayed-data.mdx @@ -67,3 +67,18 @@ Note that some filters will not be added to the new Magic Firewall rule definiti Enable the **Show annotations** toggle to show or hide annotations for advertised/withdrawn IP prefix events in the **Network Analytics** view. Select each annotation to get more details. ![Network Analytics chart displaying IP prefix-related annotations.](~/assets/images/analytics/network-analytics/view-annotations.png) + +## View logged or monitored traffic + +[Network DDoS managed rules](/ddos-protection/managed-rulesets/network/) and [Advanced DDoS Protection systems](/ddos-protection/advanced-ddos-systems/overview/) provide a `log` or `monitoring` mode that does not drop traffic. These `log` and `monitoring` mode events are based on **Verdict** and **Outcome**/**Action** fields. + +To filter for these traffic events: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. +2. Go to **Analytics & Logs** > **Network Analytics** > **DDoS managed rules**. +3. Select **Add filter**. + - Set `Verdict equals drop`. + - Set `Action equals pass`. +4. Select **Apply**. + +By setting `verdict` to `drop` and `outcome` as `pass`, we are filtering for traffic that was marked as a detection (that is, verdict was `drop`) but was not dropped (for example, outcome was `pass`). \ No newline at end of file diff --git a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx index 48a4783509e09f7..64a73c5fdb9277a 100644 --- a/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx +++ b/src/content/docs/ddos-protection/advanced-ddos-systems/concepts.mdx @@ -58,7 +58,8 @@ Besides defining rules with one of the above scopes, you must also select the [p The Advanced TCP Protection system constantly learns your TCP connections to mitigate DDoS attacks. Advanced TCP Protection rules can have one of the following execution modes: monitoring, mitigation (enabled), or disabled. - **Monitoring** - - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. + - In this mode, Advanced TCP Protection will not impact any packets. Instead, the protection system will learn your legitimate TCP connections and show you what it would have mitigated. Check Network Analytics to visualize what actions Advanced TCP Protection would have taken on incoming packets, according to the current configuration. + - **​​Mitigation (Enabled)** - In this mode, Advanced TCP Protection will learn your legitimate TCP connections and perform mitigation actions on incoming TCP DDoS attacks based on the rule configuration (burst and rate sensitivity) and your [allowlist](/ddos-protection/advanced-ddos-systems/concepts/#allowlist). @@ -99,7 +100,9 @@ The default rate sensitivity and recommended setting is _Low_. You should only i ## Filter - The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. + + +The filter expression can reference source and destination IP addresses and ports. Each system component (SYN flood protection and out-of-state TCP protection) should have one or more [rules](#rule), but filters are optional. Each system component has its own filters. You can configure a filter for each execution mode: diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx index 74e719712975c66..f50027b67b34262 100644 --- a/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx +++ b/src/content/docs/ddos-protection/managed-rulesets/network/override-parameters.mdx @@ -26,7 +26,7 @@ The action performed for packets that match specific rules of Cloudflare's DDoS - **Log** - API value: `"log"`. - - Only available on Enterprise plans. Logs requests that match the expression of a rule detecting network layer DDoS attacks. Recommended for validating a rule before committing to a more severe action. + - Only available on Enterprise plans. Logs requests that match the expression of a rule detecting network layer DDoS attacks. Recommended for validating a rule before committing to a more severe action. - **Block** - API value: `"block"`. diff --git a/src/content/partials/ddos-protection/log-and-monitor-behavior-link.mdx b/src/content/partials/ddos-protection/log-and-monitor-behavior-link.mdx new file mode 100644 index 000000000000000..6bd97998baead60 --- /dev/null +++ b/src/content/partials/ddos-protection/log-and-monitor-behavior-link.mdx @@ -0,0 +1,5 @@ +--- +{} +--- + +Refer to the [Analytics documentation](/analytics/network-analytics/configure/displayed-data/#view-logged-or-monitored-traffic) for more information on how to view logged or monitored traffic. \ No newline at end of file