diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx
index 6cdd113dc609db..3398667947f844 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/http/http-overrides/override-examples.mdx
@@ -8,7 +8,7 @@ head:
content: Override examples for HTTP DDoS Attack Protection
---
-import { Details, GlossaryTooltip } from "~/components"
+import { Details, GlossaryTooltip, Tabs, TabItem } from "~/components"
## Use cases
@@ -16,11 +16,11 @@ The following scenarios detail how you can make use of override rules as a solut
### Traffic from your mobile application is blocked by a DDoS Managed Rule
-The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it.
+The traffic from your mobile application may have appeared suspicious, causing a DDoS Managed Rule to block it.
You should identify the Managed Rule blocking the traffic and change the sensitivity level to `Medium`. If traffic continues to be blocked by the managed rule, set the sensitivity level to `Low` or `Essentially off`.
-If you have access to filter expressions, you can create an override to target the specific affected traffic.
+If you have access to filter expressions, you can create an override to target the specific affected traffic.
### Traffic is flagged by an adaptive rule based on the location and may be an attack
@@ -34,23 +34,47 @@ In these cases, Cloudflare’s DDoS Protection systems may flag that traffic as
To remedy a false positive:
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to the analytics dashboard and apply filters to the displayed data.
+
+ 1. Select the zone that is experiencing DDoS attack false positives.
+ 2. Go to **Security** > **Events**.
+ 3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
+
+
+ 1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
+ 2. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
+
+3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
+4. Copy the rule name.
+5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
+6. Select **Browse rules** and paste the rule name in the search field.
+7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
+8. Select **Next** and then select **Save**.
+
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
- 3. Select the zone that is experiencing DDoS attack false positives.
- 4. Go to **Security** > **Events**.
- 5. Select **Add filter** and filter by `Service equals HTTP DDoS`.
+ 1. Select the zone that is experiencing DDoS attack false positives.
+ 2. Go to **Security** > **Analytics** > **Events** tab.
+ 3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
- 6. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
- 7. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
+ 1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
+ 1. Identify the legitimate traffic that is causing the false positives. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
-8. Scroll down to **Top events by source** > **HTTP DDoS rules**.
-9. Copy the rule name.
-10. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
-11. Select **Browse rules** and paste the rule name in the search field.
-12. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
-13. Select **Next** and then select **Save**.
+3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
+4. Copy the rule name.
+5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
+6. Select **Browse rules** and paste the rule name in the search field.
+7. Decrease the rule’s **Sensitivity Level** to _Essentially Off_ or change the rule action to _Log_ (if supported by your current plan and subscriptions).
+8. Select **Next** and then select **Save**.
+
+
Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the [analytics dashboard](/ddos-protection/reference/analytics/).
@@ -91,29 +115,53 @@ The system chooses the mitigation action based on the logic and the DDoS protect
If you are experiencing a DDoS attack detected by Cloudflare and the applied mitigation action is not sufficiently strict, change the rule action to _Block_:
+
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
+2. Go to the analytics dashboard and apply filters to the displayed data.
+
+ 1. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
+ 2. Go to **Security** > **Events**.
+ 3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
+
+
+ 1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
+ 2. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
+
+3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
+4. Copy the rule name.
+5. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
+6. Select **Browse rules** and paste the rule name in the search field.
+7. Change the rule’s **Action** to *Block*.
+8. Select **Next** and then select **Save**.
+
+
+
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account.
2. Go to the analytics dashboard and apply filters to the displayed data.
- 3. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
- 4. Go to **Security** > **Events**.
- 5. Select **Add filter** and filter by `Service equals HTTP DDoS`.
+ 1. Select the zone that is experiencing an incomplete mitigation of a DDoS attack.
+ 2. Go to **Security** > **Analytics** > **Events** tab.
+ 3. Select **Add filter** and filter by `Service equals HTTP DDoS`.
- 6. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
- 7. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
+ 1. Go to Account Home > **Analytics & Logs** > **Network Analytics**.
+ 2. Identify the DDoS attack that is having incomplete mitigations. Use the Attack ID number included in the DDoS alert (if you received one), or apply dashboard filters such as destination IP address and port.
-8. Scroll down to **Top events by source** > **HTTP DDoS rules**.
-9. Copy the rule name.
-10. Go to your zone > **Security** > **DDoS** and select **Deploy a DDoS override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
-11. Select **Browse rules** and paste the rule name in the search field.
-12. Change the rule’s **Action** to *Block*.
-13. Select **Next** and then select **Save**.
+3. Scroll down to **Top events by source** > **HTTP DDoS rules**.
+4. Copy the rule name.
+5. Go to your zone > **Security** > **Security rules** > **DDoS protection** tab and select **Create override**. If you cannot deploy any additional overrides, edit an existing override to adjust rule configuration.
+6. Select **Browse rules** and paste the rule name in the search field.
+7. Change the rule’s **Action** to *Block*.
+8. Select **Next** and then select **Save**.
+
+
Once saved, the rule takes effect within one or two minutes. The rule adjustment should provide immediate remedy, which you can view in the [analytics dashboard](/ddos-protection/reference/analytics/).
#### Alternate procedure
-If you cannot stop an attack from overloading your origin web server using the above steps, [contact Cloudflare Support](/support/contacting-cloudflare-support/) for assistance, providing the following details:
+If you cannot stop an attack from overloading your origin web server using the above steps, [contact Cloudflare Support](/support/contacting-cloudflare-support/) for assistance, providing the following details:
- Time period of the attack (UTC timestamp)
- Domain/path being targeted (zone name/ID)