cloudflare · marciocloudflare · Apr 7, 2025 · Apr 4, 2025 · Apr 4, 2025 · Apr 4, 2025
@@ -791,6 +791,9 @@
 # magic-network-monitoring
 /magic-network-monitoring/routers/ /magic-network-monitoring/routers/supported-routers/ 301
 /magic-network-monitoring/tutorials/ /magic-network-monitoring/tutorials/graphql-analytics/ 301
+/magic-network-monitoring/rules/recommended-rule-configuration/ /magic-network-monitoring/rules/static-threshold/ 301
+/magic-network-monitoring/rules/sflow-ddos-alerts/ /rules/configure-rule-notifications/ 301
+/magic-network-monitoring/notifications/ /rules/rule-notifications/ 301
 
 # magic-transit
 /magic-transit/magic-firewall/ /magic-firewall/ 301

@@ -52,7 +52,7 @@ Magic Transit On Demand customers can use Magic Network Monitoring to enable DDo
 
 </Feature>
 
-<Feature header="Notifications" href="/magic-network-monitoring/notifications/">
+<Feature header="Rule notitications" href="/magic-network-monitoring/rules/rule-notifications/">
 
 Set up notifications to learn about an attack.
 

@@ -0,0 +1,45 @@
+---
+title: Dynamic threshold rule
+pcx_content_type: how-to
+sidebar:
+  order: 2
+  badge:
+    text: Beta
+---
+
+A dynamic threshold rule (beta) will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. The total traffic across all IP prefixes and IP addresses in the rule is compared to the current value of the dynamic threshold. If the total traffic exceeds the dynamic threshold, then an alert is sent.
+
+Dynamic thresholds are calculated using a statistical measure called [z-score](https://en.wikipedia.org/wiki/Standard_score) (also referred to as standard score). You can visit the section on [How the dynamic rule threshold is calculated](#how-the-dynamic-rule-threshold-is-calculated) to learn more.
+
+Customers that send NetFlow and / or sFlow data to Cloudflare can configure dynamic threshold rules.
+
+A dynamic threshold rule can only be configured via [Cloudflare's Magic Network Monitoring Rules API](/api/resources/magic_network_monitoring/subresources/rules/). Today, customers are unable to configure dynamic threshold rules in the Cloudflare dashboard.
+
+## Rule configuration fields
+
+| Field | Description |
+| :---- | :---- |
+| **Rule name** | Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`). Maximum of 256 characters. |
+| **Rule type** | zscore |
+| **Target** | Can be defined in either bits per second or packets per second. |
+| **Sensitivity** | Z-Score sensitivity has three values: low, medium, and high. |
+| **Auto-advertisement** | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule's dynamic threshold is triggered. To learn more and see an example, view the [Auto-Advertisement section](/magic-network-monitoring/rules/rule-notifications/#rule-auto-advertisement-notifications). |
+| **Rule IP prefix** | The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. The maximum is 5,000 unique CIDR entries. To learn more and see an example, view the [Rule IP prefixes](/magic-network-monitoring/rules/#rule-ip-prefixes). |
+
+## API documentation
+
+You can visit [developers.cloudflare.com/api/](/api/), navigate to [Magic Network Monitoring](/api/resources/magic_network_monitoring/), and expand the [Rules](/api/resources/magic_network_monitoring/subresources/rules/) section to see an example API configuration call using CURL and the expected output for a successful response.
+
+## How the dynamic rule threshold is calculated
+
+Dynamic thresholds for this rule type are calculated using a statistical measure called Z-Score. The dynamic threshold for this rule will automatically adjust based on your traffic history as this rule uses statistical analysis to detect traffic anomalies. Z-Score is calculated by comparing short-term traffic patterns (five-minute time window) against long-term baselines (four-hour time window) .
+
+Z-Score is calculated by using the following formula:
+
+```txt
+Z = (X - μ) / σ
+```
+
+- `X` = Current traffic value.
+- `μ` = Mean traffic value over the long window.
+- `σ` = Standard deviation over the long window.
@@ -2,12 +2,26 @@
 title: Rules
 pcx_content_type: how-to
 sidebar:
-  label: Manage rules
+  label: Overview
   order: 4
 
 ---
 
-Magic Network Monitoring rules will allow you to monitor the traffic volume destined for IP addresses or IP prefixes on your network. You can also receive alerts if the volume of traffic arriving at specific destinations exceeds a defined threshold.
+Magic Network Monitoring rules allow you to monitor your network traffic for DDoS attacks on specific IP addresses or IP prefixes within your network. If the network traffic that is monitored by a rule exceeds the rule's threshold or contains a DDoS attack fingerprint, then you will receive an alert.
+
+## Rule types
+
+There are three different types of rules that can be configured within Magic Network Monitoring. You can refer to the linked documentation page for each rule type to learn more.
+
+| Rule Type | Rule Description | Rule Availability |
+| :---- | :---- | :---- |
+| [Dynamic threshold](/magic-network-monitoring/rules/dynamic-threshold/) (recommended) | A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only |
+| [Static threshold](/magic-network-monitoring/rules/static-threshold/) | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration |
+| [sFlow DDoS attack](/magic-network-monitoring/rules/s-flow-ddos-attack/) | Magic Network Monitoring customers that send sFlow data to Cloudflare can receive alerts when a specific type of distributed denial-of-service (DDoS) attack is detected within their network traffic. | API configuration only. Only applicable to sFlow data sets |
+
+## Create rules in the dashboard
+
+You can only configure static traffic threshold rules in the Cloudflare dashboard.
 
 :::caution[Invalid account settings error when trying to create a rule]
 If you get the following error when trying to create a rule:
@@ -19,88 +33,67 @@ Make sure the name for your Cloudflare account does not contain unsupported char
 Refer to [Account name](/fundamentals/setup/account/customize-account/account-name/) to learn how to change your account name.
 :::
 
-
-## Create rules
-
-Refer to [Recommended rule configuration](/magic-network-monitoring/rules/recommended-rule-configuration/) for more details on the settings we recommend to create appropriate Magic Network Monitoring rules.
+To create a new rule:
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
 2. Go to **Analytics & Logs** > **Magic Monitoring**.
 3. Select **Configure Magic Network Monitoring** > **Add new rule**.
-4. Create your rule according to your needs. Refer to [Rule fields](#rule-fields) for more information on what each field does.
+4. Create a new static traffic threshold rule according to your needs. Refer to the documentation on [static threshold](/magic-network-monitoring/rules/static-threshold/) rules for more information on each field in the static threshold rule's configuration.
 5. Select **Create a new rule** when you are finished.
 
-## Edit or delete rules
+## Edit rules in the dashboard
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
 2. Go to **Analytics & Logs** > **Magic Monitoring**.
 3. Select **Configure Magic Network Monitoring**.
-4. Find the rule you want to edit, and select **Edit**. Optionally, you can also select **Delete** to delete a rule.
-5. Edit the appropriate fields. Refer to [Rule fields](#rule-fields) for more information on what each field does.
+4. Find the static threshold rule you want to edit, and select **Edit**.
+5. Edit the appropriate fields. Refer to [Rule configuration fields](/magic-network-monitoring/rules/static-threshold/#rule-configuration-fields) for more information on what each field does.
 6. Select **Save** when you are finished.
 
-## Rule Auto-Advertisement
+## Delete rules in the dashboard
 
-If you are an Enterprise customer using [Magic Transit On Demand](/magic-transit/on-demand), enable **Auto-Advertisement** if you want to automatically activate Magic Transit when a certain threshold is exceeded.
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **Analytics & Logs** > **Magic Monitoring**.
+3. Select **Configure Magic Network Monitoring**.
+4. Find the static threshold rule you want to delete, and select **Delete**.
+5. Select **I understand that deleting a rule is permanent**, and select **Delete** again.
 
-Follow the previous steps to [create](#create-rules) or [edit](#edit-or-delete-rules) a rule. Then, make sure you enable **Auto-Advertisement**.
+## Common settings that apply to all rule types
 
-## Rule fields
+### Rule Auto-Advertisement
 
-| Field  									| Description |
-| ----------------------- | ----------- |
-| **Rule name** 					| Must be unique and cannot contain spaces. Supports characters `A-Z`, `a-z`, `0-9`, underscore (`_`), dash (`-`), period (`.`), and tilde (`~`).  Max 256 characters. |
-| **Rule threshold type** | Can be defined in either bits per second or packets per second. |
-| **Rule threshold**  		| The number of bits per second or packets per second for the rule alert. When this value is exceeded for the rule duration, an alert notification is sent. Minimum of `1` and no maximum. |
-| **Rule duration**  			| The amount of time in minutes the rule threshold must exceed to send an alert notification. Choose from the following values: `1`, `5`, `10`, `15`, `20`, `30`, `45`, or `60` minutes. |
-| **Auto-advertisement**  | If you are a [Magic Transit On Demand](/magic-transit/on-demand) customer, you can enable this feature to automatically enable Magic Transit if the rule alert is triggered.|
-| **Rule IP prefix** 			| The IP prefix associated with the rule for monitoring traffic volume. Must be a CIDR range such as `160.168.0.1/24`. Max is 5,000 unique CIDR entries.                                   |
+If you are an Enterprise customer using [Magic Transit On Demand](/magic-transit/on-demand), you can enable **Auto-Advertisement** for any dynamic threshold, static threshold, and sFlow DDoS attack rule. The Auto-Advertisement feature will automatically activate Magic Transit when a static or dynamic rule threshold is exceeded or a DDoS attack fingerprint is identified in sFlow traffic logs.
 
-## Enable per-prefix thresholds with the API
+Follow the previous steps to [create](#create-rules-in-the-dashboard) or [edit](#edit-rules-in-the-dashboard) a rule. Then, enable **Auto-Advertisement**.
 
-You can also use the [Magic Network Monitoring API](/api/resources/magic_network_monitoring/subresources/rules/methods/list/) to configure custom thresholds for specific prefixes.
+### Rule IP prefixes
 
-The system uses the concept of rules, and each rule consists of a group of prefixes. All prefixes inside a rule are evaluated as a whole, and you should set up a rule if you want the prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular prefixes or IPs, you can create an individual rule with one prefix and the desired threshold.
+Each rule must include a group of IP prefixes in its definition. All IP prefixes inside a rule are evaluated as a whole, and you should set up a rule with multiple IP prefixes when you want the IP prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular IP prefixes or IP addresses, you can create an individual rule with one prefix and the desired rule parameters.
 
-### Example
+### Rule IP prefixes example
 
-For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDRs in case the flag is turned on.
+For a rule with two prefix CIDRs and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDRs if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale via Cloudflare's API](https://developers.cloudflare.com/api/resources/magic_network_monitoring/subresources/rules/).
 
-```bash
+```json
 "rules":[
         "name": "Too many packets",
         "prefixes": ["192.168.0.0/24", "172.118.0.0/24"],
         "packet_threshold": 10000,
         "automatic_advertisement": true,
         "duration": "1m0s",
+	 "type": "threshold"
         ]
 ```
 
 For more granular thresholds, create a more focused rule as shown below.
 
-```bash
+```json
 "rules":[
         "name": "Too many packets",
         "prefixes": ["172.118.0.0/24"],
         "packet_threshold": 1000,
         "automatic_advertisement": true,
         "duration": "1m0s",
+ "type": "threshold"
        ]
-```
-
-Refer to the [Magic Network Monitoring API documentation](/api/resources/magic_network_monitoring/subresources/rules/methods/list/) for more information.
-
-## Notifications
-
-Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule.
-
-You will receive the status of the advertisement for each prefix with the following available statuses:
-
-- **Advertised**: The prefix was successfully advertised.
-- **Already Advertised**: The prefix was advertised prior to the auto advertisement attempt.
-- **Delayed**: The prefix cannot currently be advertised but will attempt advertisement. After the prefix can be advertised, a new notification is sent with the updated status.
-- **Locked**: The prefix is locked and cannot be advertised.
-- **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix.
-- **Error**: A general error occurred during prefix advertisement.
-
-Refer to [Notifications](/magic-network-monitoring/notifications/) to learn how to create one.
+```
@@ -0,0 +1,73 @@
+---
+title: Configure rule notifications
+pcx_content_type: how-to
+sidebar:
+  order: 4
+---
+
+After configuring one or multiple rule types in Magic Network Monitoring, customers can also choose to receive notifications via email, webhook, or PagerDuty when a rule is triggered.
+
+Customers can configure multiple rule types and alerts together to create layers of DDoS protection based on their network environment and their security needs.
+
+You can read [Cloudflare's Notifications documentation](/notifications/) for more information on our notification platform including:
+
+- [Configure Cloudflare notifications](/notifications/get-started/)
+- [Configure PagerDuty](/notifications/get-started/configure-pagerduty/)
+- [Configure webhooks](/notifications/get-started/configure-webhooks/)
+- [Test a notification](/notifications/get-started/#test-a-notification)
+- [Notification History](/notifications/notification-history/)
+
+## Magic Network Monitoring notification configuration fields
+
+| Field | Description |
+| :---- | :---- |
+| **Notification name** | The name of the Magic Network Monitoring notification (MNM) for the rule type that was selected. |
+| **Description (optional)** | The description of the MNM notification. |
+| **Webhooks** | The webhook(s) that will receive the MNM notification. |
+| **Notification email** | The email(s) that will receive the MNM notification. |
+
+## Rule Auto-Advertisement notifications
+
+Webhook, PagerDuty, and email notifications are sent following an auto-advertisement attempt for all prefixes inside the flagged rule.
+
+You will receive the status of the advertisement for each prefix with the following available statuses:
+
+- **Advertised**: The prefix was successfully advertised.
+- **Already Advertised**: The prefix was advertised prior to the auto advertisement attempt.
+- **Delayed**: The prefix cannot currently be advertised but will attempt advertisement. After the prefix can be advertised, a new notification is sent with the updated status.
+- **Locked**: The prefix is locked and cannot be advertised.
+- **Could not Advertise**: Cloudflare was unable to advertise the prefix. This status can occur for multiple reasons, but usually occurs when you are not allowed to advertise a prefix.
+- **Error**: A general error occurred during prefix advertisement.
+
+## Configure static threshold notifications
+
+To configure static threshold notifications:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **Notifications** > **Add**.
+3. Select **Magic Transit** from the product dropdown menu.
+4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**.
+5. Fill in the notification configuration details.
+6. Select **Save**.
+
+## Configure dynamic threshold notifications
+
+To configure dynamic threshold notifications:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **Notifications** > **Add**.
+3. Select **Magic Transit** from the product dropdown menu.
+4. Find the **Magic Network Monitoring: Volumetric Attack** alert, and select **Select**.
+5. Fill in the notification configuration details.
+6. Select **Save**.
+
+## Configure sFlow DDoS attack notifications
+
+To configure sFlow DDoS attack notifications:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account.
+2. Go to **Notifications** > **Add**.
+3. Select **Magic Transit** from the product dropdown menu.
+4. Find the **Magic Network Monitoring: DDoS Attack** alert, and select **Select**.
+5. Fill in the notification configuration details.
+6. Select **Save**.