cloudflare · pedrosousa · Feb 20, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
@@ -1341,6 +1341,8 @@
 /waf/tools/scrape-shield/server-side-excludes/ /waf/tools/scrape-shield/ 301
 /waf/rate-limiting-rules/create-account-dashboard/ /waf/account/rate-limiting-rulesets/create-dashboard/ 301
 /waf/managed-rules/deploy-account-dashboard/ /waf/account/managed-rulesets/deploy-dashboard/ 301
+/waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301
+/waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301

@@ -6,26 +6,21 @@ sidebar:
 head:
   - tag: title
     content: DDoS analytics
-
 ---
 
 You can view DDoS analytics in different dashboards, depending on your service and plan:
 
-- The [Security Events dashboard](/waf/analytics/security-events/) provides you with visibility into L7 security events that target your zone, including HTTP DDoS attacks and TCP attacks. The dashboard displays mitigations of HTTP DDoS attacks as HTTP DDoS events. These events are also available via [Cloudflare Logs](/logs/).
+- The [Security Events dashboard](/waf/analytics/security-events/) provides you with visibility into L7 security events that target your zone, including HTTP DDoS attacks and TCP attacks. The dashboard displays mitigations of HTTP DDoS attacks as HTTP DDoS events. These events are also available via [Cloudflare Logs](/logs/).
 
 - The [Network Analytics dashboard](/analytics/network-analytics/) provides you with visibility into L3/4 traffic and DDoS attacks that target your IP ranges or Spectrum applications.
 
 ## Availability
 
-
-
-| Service       | Free              | Pro             | Business        | Enterprise        |
-| ------------- | ----------------- | --------------- | --------------- | ----------------- |
-| WAF/CDN       | Activity log only | Security Events | Security Events | Security Events   |
-| Spectrum/BYOIP      | –                 | –               | –               | Network Analytics |
-| Magic Transit | –                 | –               | –               | Network Analytics |
-
-
+| Service        | Free              | Pro             | Business        | Enterprise        |
+| -------------- | ----------------- | --------------- | --------------- | ----------------- |
+| WAF/CDN        | Sampled logs only | Security Events | Security Events | Security Events   |
+| Spectrum/BYOIP | –                 | –               | –               | Network Analytics |
+| Magic Transit  | –                 | –               | –               | Network Analytics |
 
 ## Remarks
 

@@ -8,21 +8,20 @@ A **Cloudflare Ray ID** is an identifier given to every request that goes throug
 Ray IDs are particularly useful when evaluating Security Events for patterns or false positives or more generally understanding your application traffic.
 
 :::caution
-
 Ray IDs are not guaranteed to be unique for every request. In some situations, different requests may have the same Ray ID.
 :::
 
 ## Look up Ray IDs
 
 ### Security events
 
-All customers can view Ray IDs and associated information — IP address, user agent, ASN, etc. — by looking through the [Activity Log](/waf/analytics/security-events/) in Security Events.
+All customers can view Ray IDs and associated information — IP address, user agent, ASN, etc. — by looking through [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events.
 
-![Example list of events in the Activity log, with one of the events expanded to show its details](~/assets/images/waf/events-activity-log.png)
+![Example list of events in Sampled logs, with one of the events expanded to show its details](~/assets/images/waf/events-sampled-logs.png)
 
-Additionally, you can [add filters](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data) to look for specific Ray IDs.
+Additionally, you can [add filters](/waf/analytics/security-events/#adjust-displayed-data) to look for specific Ray IDs.
 
-![Example of adding a new filter in Security Events for the Allow action](~/assets/images/waf/events-add-filter-free.png)
+![Example of adding a new filter in Security Events for the Block action](~/assets/images/waf/events-add-filter.png)
 
 Please note that Security Events may use sampled data to improve performance. If sampled data is applied to your search, you might not see all events, and filters might not return the expected results. To display more events, select a smaller timeframe.
 

@@ -71,7 +71,7 @@ Cloudflare may serve `403` responses in the following scenarios:
   - [DDoS Protection](/ddos-protection/), which is enabled by default on zones onboarded to Cloudflare, IP applications onboarded to Spectrum, and IP Prefixes onboarded to Magic Transit.
   - Most [1xxx Cloudflare error codes](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
   - The [Browser Integrity Check](/waf/tools/browser-integrity-check/).
-  - [Validation Checks](/waf/analytics/security-events/additional-information/).
+  - [Validation Checks](/waf/tools/validation-checks/).
 
 Cloudflare may also serve an unstyled `403` error page in specific cases. These errors are not logged because they occur early in Cloudflare's infrastructure, before domain configuration is loaded. An example is:
 

@@ -1,25 +1,40 @@
 ---
-pcx_content_type: reference
-title: Paid plans
+title: Security Events
+pcx_content_type: concept
 sidebar:
-  order: 3
-head:
-  - tag: title
-    content: Security Events — Paid plans
-
+  order: 2
 ---
 
-import { Render } from "~/components"
+import { FeatureTable, GlossaryTooltip, Render } from "~/components";
+
+Security Events allows you to review <GlossaryTooltip term="mitigated request">mitigated requests</GlossaryTooltip> and helps you tailor your security configurations.
+
+The main elements of the dashboard are the following:
+
+- [Events summary](#events-summary): Provides the number of security events on traffic during the selected time period, grouped according to the selected dimension (for example, Action, Host, Country).
+- [Events by service](#events-by-service): Lists the security-related activity per security feature (for example, WAF, API Shield).
+- [Top events by source](#top-events-by-source): Provides details of the traffic flagged or actioned by a Cloudflare security feature (for example, IP addresses, User Agents, Paths, Countries, Hosts, ASNs).
+- [Sampled logs](#sampled-logs): Summarizes security events by date to show the action taken and the applied Cloudflare security product.
+
+Security Events displays information about requests actioned or flagged by Cloudflare security products, including features such as [Browser Integrity Check](/waf/tools/browser-integrity-check/). Each incoming HTTP request might generate one or more security events. The Security Events dashboard only shows these events, not the HTTP requests themselves.
+
+## Availability
+
+Available features vary according to your Cloudflare plan:
+
+<FeatureTable id="security.security_events" />
+
+## Location in the dashboard
 
 Security Events is available for your zone in **Security** > **Events**.
 
 Additionally, Enterprise customers have access to the account-level dashboard in Account Home > **Security Center** > **Security Events**.
 
-## Adjusting displayed data
+## Adjust displayed data
 
-You can apply multiple filters and exclusions to narrow the scope of Security Events and adjust the report duration. Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the **Activity Log** and all graphs.
+You can apply multiple filters and exclusions to narrow the scope of Security Events and adjust the report duration. Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including **Sampled logs** and all graphs.
 
-![Example of adding a new filter in Security Events for the Allow action](~/assets/images/waf/events-add-filter.png)
+![Example of adding a new filter in Security Events for the Block action](~/assets/images/waf/events-add-filter.png)
 
 <Render file="analytics-filter-report-duration" />
 
@@ -48,14 +63,10 @@ In **Top events by source** you can find details of the traffic flagged or actio
 You can adjust the scope of Security Events to one of the listed source values by selecting **Filter** or **Exclude** when hovering the value.
 
 :::note
-
-
 A deleted custom/firewall rule or rate limiting rule will show as `Rule unavailable` under **Firewall rules** or **Rate limit rules**. To check the changes made within your Cloudflare account, review your [Audit logs](/fundamentals/setup/account/account-security/review-audit-logs/).
-
-
 :::
 
-## Activity log
+## Sampled logs
 
 <Render file="analytics-activity-log" />
 
@@ -70,3 +81,13 @@ A deleted custom/firewall rule or rate limiting rule will show as `Rule unavaila
 To print or download a snapshot report from your security events dashboard, select **Print report** in **Security Events**. Your web browser's printing interface will present you with options for printing or downloading the PDF report.
 
 The generated report will reflect all applied filters.
+
+## Known limitations
+
+Security Events currently has these limitations:
+
+- Security Events may use sampled data to improve performance. If your search uses sampled data, Security Events might not display all events and filters might not return the expected results. To display more events, select a smaller time frame.
+
+- The Cloudflare dashboard may show an inaccurate number of events per page. Data queries are highly optimized, but this means that pagination may not always work because the source data may have been sampled. The GraphQL Analytics API does not have this pagination issue.
+
+- Triggered OWASP rules appear in the Security Events page under **Additional logs**, but they are not included in exported JSON files.
@@ -175,7 +175,7 @@ The authentication token parameter (`verify=<VALUE>` in the example) must be the
 If you are on an Enterprise plan, you can test if URLs are being generated correctly on the origin server by doing the following:
 
 1. Set the WAF custom rule action to _Log_.
-2. Check the activity log in **Security** > **Events**.
+2. Check the sampled logs in **Security** > **Events**.
 
 ---
 

@@ -63,7 +63,7 @@ Learn how to [get started](/waf/get-started/).
 	cta="Explore Security Events"
 >
 	Review mitigated requests (rule matches) using an intuitive interface. Tailor
-	your security configurations based on the activity log.
+	your security configurations based on sampled logs.
 </Feature>
 
 <Feature

@@ -27,7 +27,7 @@ The username and password credentials in clear text never leave the Cloudflare n
 
 The WAF can perform one of the following actions when it detects exposed credentials:
 
-- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. The action name is `Rewrite` in [Security Events](/waf/analytics/security-events/paid-plans/).
+- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. The action name is `Rewrite` in [Security Events](/waf/analytics/security-events/).
 
   :::caution
   While the header name is the same as when using the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header), the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan.

@@ -7,9 +7,9 @@ sidebar:
 
 import { Render } from "~/components";
 
-The **Activity log** in Security Events shows entries for requests with exposed credentials identified by rules with the _Log_ action.
+**Sampled logs** in [Security Events](/waf/analytics/security-events/) shows entries for requests with exposed credentials identified by rules with the _Log_ action.
 
-Check for exposed credentials events in the Security Events dashboard (**Security** > **Events** tab), filtering by a specific Rule ID. For more information on filtering security events, refer to [Adjusting displayed data](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data).
+Check for exposed credentials events in the Security Events dashboard, filtering by a specific rule ID. For more information on filtering events, refer to [Adjust displayed data](/waf/analytics/security-events/#adjust-displayed-data).
 
 <Render file="leaked-credentials-recommend-detection" />
 

@@ -9,7 +9,7 @@ View the content of the matched rule payload in the dashboard by entering your p
 
 1. Open **Security** > **Events**.
 
-2. Under **Activity log**, expand the details of an event triggered by a rule whose managed ruleset has payload logging enabled.
+2. Under **Sampled logs**, expand the details of an event triggered by a rule whose managed ruleset has payload logging enabled.
 
 3. Under **Payload match**, select **Decrypt payload log**.
 

@@ -26,7 +26,7 @@ Additionally, this managed ruleset also includes generic rules for other common
 - Check credentials sent as JSON with `email` and `password` keys
 - Check credentials sent as JSON with `username` and `password` keys
 
-The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API and in [Security Events](/waf/analytics/security-events/paid-plans/#activity-log)).
+The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API and in [Security Events](/waf/analytics/security-events/#sampled-logs)).
 
 The managed ruleset also contains a rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials.
 

@@ -34,8 +34,8 @@ Final request threat score: `26`
 
 Since `26` >= `25` — that is, the threat score is greater than the configured score threshold — the WAF will apply the configured action (_Managed Challenge_). If you had configured a score threshold of _Medium - 40 and higher_, the WAF would not apply the action, since the request threat score would be lower than the score threshold (`26` < `40`).
 
-The [**Activity log** in Security Events](/waf/analytics/security-events/paid-plans/#activity-log) would display the following details for the example incoming request handled by the OWASP Core Ruleset:
+[**Sampled logs** in Security Events](/waf/analytics/security-events/#sampled-logs) would display the following details for the example incoming request handled by the OWASP Core Ruleset:
 
 ![Event log for example incoming request mitigated by the WAF's OWASP Core Ruleset](~/assets/images/waf/owasp-example-event-log.png)
 
-In the activity log, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: `949110: Inbound Anomaly Score Exceeded`, with rule ID <RuleID id="6179ae15870a4bb7b2d480d4843b323c" />. To get the scores of individual rules contributing to the final request threat score, expand **Additional logs** in the event details.
+In sampled logs, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: `949110: Inbound Anomaly Score Exceeded`, with rule ID <RuleID id="6179ae15870a4bb7b2d480d4843b323c" />. To get the scores of individual rules contributing to the final request threat score, expand **Additional logs** in the event details.