From b2b41a408d2910113e08fea3609d5d2c61f27f15 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Thu, 11 Sep 2025 12:39:26 +0100 Subject: [PATCH 1/2] [Page Shield] Scoped alerts also for log policies --- src/content/docs/page-shield/alerts/index.mdx | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/src/content/docs/page-shield/alerts/index.mdx b/src/content/docs/page-shield/alerts/index.mdx index cdfa3a8b030953..2c7e486cbc5e38 100644 --- a/src/content/docs/page-shield/alerts/index.mdx +++ b/src/content/docs/page-shield/alerts/index.mdx @@ -24,10 +24,6 @@ You can configure unscoped or scoped alerts: - **Scoped alert**: An alert scoped to one or more zones. You must configure [policies](/page-shield/policies/) for the zones you select to receive any notifications. Scoped alerts are triggered immediately. Policy violations will not trigger an alert. For more information, refer to [Scoped alerts](#scoped-alerts). - :::note - Cloudflare only takes into account [policies in allow mode](/page-shield/policies/#policy-actions) for scoped alerts. - ::: - For alerts sent at regular intervals, you might experience a delay between adding a new script and receiving an alert. For instructions on configuring alerts, refer to [Configure an alert](/page-shield/alerts/configure/). @@ -38,27 +34,26 @@ For instructions on configuring alerts, refer to [Configure an alert](/page-shie Applies to Enterprise customers with a paid add-on. ::: -If you have configured [allow policies](/page-shield/policies/#policy-actions) in a zone — policies which allow specific scripts and connections and block everything else — you can filter alert notifications according to those policies. These alerts are called scoped alerts. +If you have configured [policies](/page-shield/policies/) in a zone, you can filter alert notifications according to those policies. These alerts are called scoped alerts. -When you create a scoped alert using the **Policies of these zones** alert filter, you will only receive the most relevant notifications based on the values of the allow policies you configured. +When you create a scoped alert using the **Policies of these zones** alert filter, you will only receive the most relevant notifications based on the policies you configured. For each scoped alert, Cloudflare does the following: -1. Check which allow policies in a zone are enabled. +1. Check which policies in a zone are enabled, either in allow or in log mode. 2. For every enabled policy, compare the URL of the new or changed resource against the allowed sources in the policy. 3. If the resource is allowed by the policy, check if the new or modified resource should trigger the current alert. 4. If the alert should trigger, send an alert notification to the configured destinations. -When you create a scoped alert you will not receive notifications for resources blocked by an allow policy. These are [policy violations](/page-shield/policies/violations/) that you can review in the dashboard, through GraphQL, or via Logpush. +When you create a scoped alert you will not receive notifications for resources that are not allowed by a policy (either [in allow or in log mode](/page-shield/policies/#policy-actions)). These are [policy violations](/page-shield/policies/violations/) that you can review in the dashboard, through GraphQL, or via Logpush. :::note You will not receive notifications for a scoped alert in the following cases: - No configured policies in the zone -- Policy configured in log mode - Policy is not enabled ::: -For unscoped alerts, you will receive alerts for resources detected in all your zones, and you may receive alerts about resources that are blocked by one of your configured allow policies. +For unscoped alerts, you will receive alerts for resources detected in all your zones, and you may receive alerts about resources that violate your configured policies. From aba85d9e767bba8d87126522941ccb05d5ebe3e2 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Thu, 11 Sep 2025 14:53:47 +0100 Subject: [PATCH 2/2] Some more changes --- src/content/docs/page-shield/policies/index.mdx | 2 +- src/content/partials/page-shield/alerts-configure.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/page-shield/policies/index.mdx b/src/content/docs/page-shield/policies/index.mdx index 8d5560bc60be60..db3d90814acfc7 100644 --- a/src/content/docs/page-shield/policies/index.mdx +++ b/src/content/docs/page-shield/policies/index.mdx @@ -41,4 +41,4 @@ Refer to the following pages for instructions on creating a policy or content se - [Create a policy in the dashboard](/page-shield/policies/create-dashboard/) - [Page Shield API: Create a policy](/page-shield/reference/page-shield-api/#create-a-policy) -Once you have configured one or more allow policies in a zone, you can filter alert notifications according to those policies. These alerts are called [scoped alerts](/page-shield/alerts/#scoped-alerts). +Once you have configured one or more policies in a zone, you can filter alert notifications according to those policies. These alerts are called [scoped alerts](/page-shield/alerts/#scoped-alerts). diff --git a/src/content/partials/page-shield/alerts-configure.mdx b/src/content/partials/page-shield/alerts-configure.mdx index 527b1e93c95abb..fdf32abfac0810 100644 --- a/src/content/partials/page-shield/alerts-configure.mdx +++ b/src/content/partials/page-shield/alerts-configure.mdx @@ -15,7 +15,7 @@ To configure an alert: 2. Choose **Add** and then select **Page Shield** in the **Product** dropdown. 3. Select an [alert type](/page-shield/alerts/alert-types/). 4. Enter the notification name and description. -5. (Optional) If you are an Enterprise customer with a paid add-on, you can [define the zones for which you want to filter alerts](/page-shield/alerts/#scoped-alerts) in **Policies of these zones**. This option requires that you define [allow policies](/page-shield/policies/#policy-actions) in the selected zones. +5. (Optional) If you are an Enterprise customer with a paid add-on, you can [define the zones for which you want to filter alerts](/page-shield/alerts/#scoped-alerts) in **Policies of these zones**. This option requires that you define [policies](/page-shield/policies/) in the selected zones. 6. Select one or more notification destinations (notification email, webhooks, and connected notification services). 7. Select **Create**.