diff --git a/src/content/docs/security/analytics.mdx b/src/content/docs/security/analytics.mdx
index 4d7e61fe7754c9e..95376e89f1bbf29 100644
--- a/src/content/docs/security/analytics.mdx
+++ b/src/content/docs/security/analytics.mdx
@@ -7,7 +7,7 @@ sidebar:
description: Security analytics shows information about all incoming HTTP requests or mitigated requests (rule matches).
---
-import { GlossaryTooltip } from "~/components";
+import { Stream, GlossaryTooltip } from "~/components";
Security analytics shows information about all incoming HTTP requests or only about requests mitigated by Cloudflare.
@@ -17,6 +17,12 @@ By default, Security Analytics queries filter on `requestSource = 'eyeball'`, wh
Security analytics is available in **Security** > **Analytics**.
+
+
## Traffic
The **Traffic** tab displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products.
diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx
index 5908f19489c1631..2775b7af65342f3 100644
--- a/src/content/docs/waf/get-started.mdx
+++ b/src/content/docs/waf/get-started.mdx
@@ -5,7 +5,7 @@ sidebar:
order: 2
---
-import { Details, GlossaryTooltip, Tabs, TabItem, Steps, Render } from "~/components";
+import { Stream, Details, GlossaryTooltip, Tabs, TabItem, Steps, Render } from "~/components";
@@ -19,6 +19,12 @@ Refer to [Concepts](/waf/concepts/) for more information on WAF concepts, main c
This guide focuses on configuring WAF for individual domains, known as zones. The WAF configuration is also available at the account level for Enterprise customers with a paid add-on.
:::
+
+
## Before you begin
- Make sure that you have [set up a Cloudflare account](/fundamentals/account/) and [added your domain](/fundamentals/manage-domains/add-site/) to Cloudflare.
diff --git a/src/content/stream/app-sec-get-started/index.yaml b/src/content/stream/app-sec-get-started/index.yaml
new file mode 100644
index 000000000000000..8ae299408e0f905
--- /dev/null
+++ b/src/content/stream/app-sec-get-started/index.yaml
@@ -0,0 +1,602 @@
+---
+id: 1a426a3ae597ae3935eb97b5f97f106f
+url: app-sec-get-started
+title: Application Security - Get started guide
+description: In this video, learn how to get immediate protection against the most common attacks.
+products:
+ - dns
+thumbnail:
+ url: https://pub-d9bf66e086fb4b639107aa52105b49dd.r2.dev/appsec-get-started-guide.png
+transcript: |
+
+ WEBVTT
+
+ 1
+ 00:00:00.080 --> 00:00:04.680
+ Cloudflare Application Security Dashboard
+ allows you to manage application security
+
+ 2
+ 00:00:04.720 --> 00:00:08.800
+ features that protect your domains and
+ applications from various web attacks and
+
+ 3
+ 00:00:08.800 --> 00:00:13.440
+ threats. In this video,
+ you'll learn how to get immediate protection
+
+ 4
+ 00:00:13.440 --> 00:00:15.400
+ against the most common attacks.
+
+ 5
+ 00:00:16.040 --> 00:00:20.080
+ Use analytics to monitor and investigate
+ traffic patterns and events.
+
+ 6
+ 00:00:20.640 --> 00:00:22.200
+ Handle false positives.
+
+ 7
+ 00:00:22.960 --> 00:00:24.960
+ Create custom rules with filters.
+
+ 8
+ 00:00:25.520 --> 00:00:29.000
+ Depending on your plan,
+ some functionalities may or may not be
+
+ 9
+ 00:00:29.000 --> 00:00:33.440
+ available to you. For more information,
+ visit our developer documentation.
+
+ 10
+ 00:00:36.760 --> 00:00:40.080
+ Before you can start reviewing analytics or
+ fine tuning rules,
+
+ 11
+ 00:00:40.080 --> 00:00:44.240
+ you need to set up and enable rules that will
+ inspect and mitigate incoming threats.
+
+ 12
+ 00:00:44.800 --> 00:00:47.720
+ Let's start by setting up Cloudflare's
+ managed rule set.
+
+ 13
+ 00:00:47.760 --> 00:00:51.840
+ This rule set contains multiple rules
+ designed to detect known vulnerabilities and
+
+ 14
+ 00:00:51.840 --> 00:00:53.200
+ common attack vectors.
+
+ 15
+ 00:00:53.640 --> 00:00:58.400
+ It's updated weekly and also includes
+ emergency patches for zero day threats.
+
+ 16
+ 00:00:58.840 --> 00:01:02.480
+ If you're on a free plan,
+ the free managed rule set is already deployed
+
+ 17
+ 00:01:02.480 --> 00:01:05.220
+ by default, so you don't have to do anything
+ for this step.
+
+ 18
+ 00:01:05.580 --> 00:01:10.580
+ First, log in to the Cloudflare dashboard,
+ select your account and domain and go to
+
+ 19
+ 00:01:10.620 --> 00:01:15.900
+ Security Settings. Second,
+ in the Web Application Exploits category,
+
+ 20
+ 00:01:15.900 --> 00:01:18.620
+ locate the Cloudflare managed rule set and
+ turn it on.
+
+ 21
+ 00:01:18.940 --> 00:01:22.780
+ By enabling this rule set,
+ you immediately get broad protection with low
+
+ 22
+ 00:01:22.820 --> 00:01:25.940
+ false positives. Once you've enabled this
+ rule set,
+
+ 23
+ 00:01:26.020 --> 00:01:29.940
+ you can go to the analytics page to start
+ understanding how your rules are working.
+
+ 24
+ 00:01:30.500 --> 00:01:33.100
+ Keep in mind the system needs time to collect
+ data,
+
+ 25
+ 00:01:33.100 --> 00:01:37.220
+ so if you just enable the rule sets,
+ allow some time for incoming traffic to be
+
+ 26
+ 00:01:37.220 --> 00:01:38.540
+ analyzed by Cloudflare.
+
+ 27
+ 00:01:41.380 --> 00:01:43.220
+ Let's check out analytics page.
+
+ 28
+ 00:01:43.340 --> 00:01:45.460
+ There are two different views in analytics.
+
+ 29
+ 00:01:45.860 --> 00:01:49.660
+ The traffic tab shows all incoming HTTP
+ requests to your domain,
+
+ 30
+ 00:01:49.660 --> 00:01:53.100
+ including ones that aren't mitigated by any
+ security rules.
+
+ 31
+ 00:01:53.420 --> 00:01:57.940
+ The events tab only shows requests that
+ triggered a Cloudflare Security action,
+
+ 32
+ 00:01:57.940 --> 00:02:00.220
+ such as block, challenge,
+ or lock.
+
+ 33
+ 00:02:00.260 --> 00:02:01.900
+ Let's start with the traffic tab.
+
+ 34
+ 00:02:02.180 --> 00:02:06.840
+ Here you can identify patterns of traffic
+ through filters like request properties.
+
+ 35
+ 00:02:06.880 --> 00:02:10.600
+ Path source, IP action taken,
+ or rule ID.
+
+ 36
+ 00:02:10.840 --> 00:02:12.600
+ Let's take a look at an example.
+
+ 37
+ 00:02:13.280 --> 00:02:17.200
+ Say that you only want to see only post
+ requests for the login path that contain
+
+ 38
+ 00:02:17.200 --> 00:02:25.240
+ leaked credentials. First click Add filter
+ and enter path equals login.
+
+ 39
+ 00:02:26.720 --> 00:02:35.200
+ Click apply. Then add the following
+ additional filters HTTP method equals post
+
+ 40
+ 00:02:35.800 --> 00:02:40.560
+ leaked credentials. Scan results equals
+ username and password leaked.
+
+ 41
+ 00:02:40.960 --> 00:02:44.000
+ Hover on served by origin,
+ then click filter.
+
+ 42
+ 00:02:44.280 --> 00:02:47.680
+ Now that you're filtering by requests that
+ have actually reached origin with leaked
+
+ 43
+ 00:02:47.680 --> 00:02:52.040
+ credentials, you notice that these requests
+ all come from the same IP address.
+
+ 44
+ 00:02:52.680 --> 00:02:56.600
+ The IP address is displayed in the source IP
+ column in sample logs.
+
+ 45
+ 00:02:56.920 --> 00:03:00.240
+ Also available in top statistics source IPS.
+
+ 46
+ 00:03:01.120 --> 00:03:03.080
+ Let's add that IP to the filters.
+
+ 47
+ 00:03:03.440 --> 00:03:06.120
+ Source IP equals to the IP we see here.
+
+ 48
+ 00:03:06.820 --> 00:03:10.540
+ Not only can you use filters to analyze
+ specific kinds of requests,
+
+ 49
+ 00:03:10.540 --> 00:03:14.940
+ you can also use filters as a starting point
+ for creating your own security rules.
+
+ 50
+ 00:03:15.260 --> 00:03:18.020
+ Let's create a rule using the filters we just
+ applied.
+
+ 51
+ 00:03:18.020 --> 00:03:22.420
+ This rule will represent a security challenge
+ to post requests that contain leaked
+
+ 52
+ 00:03:22.420 --> 00:03:25.100
+ credentials coming from the IP address we
+ specified.
+
+ 53
+ 00:03:25.500 --> 00:03:27.660
+ Click Create Custom Security Rule.
+
+ 54
+ 00:03:27.980 --> 00:03:29.740
+ A preview side panel will appear.
+
+ 55
+ 00:03:30.260 --> 00:03:33.060
+ This preview shows you the beginning of the
+ rule you're building.
+
+ 56
+ 00:03:33.460 --> 00:03:37.500
+ We still need to decide what action happens
+ when requests match this rule.
+
+ 57
+ 00:03:37.500 --> 00:03:39.780
+ So let's select Configure Rule action.
+
+ 58
+ 00:03:39.940 --> 00:03:43.780
+ Now you've been brought to the Rule Builder
+ page under the Security Rule section.
+
+ 59
+ 00:03:46.900 --> 00:03:49.020
+ First let's give a rule a name.
+
+ 60
+ 00:03:49.460 --> 00:03:53.780
+ Next you'll see that the rule expression
+ contains the filters you just applied in the
+
+ 61
+ 00:03:53.780 --> 00:03:58.620
+ analytics page. The rule expression specifies
+ the conditions that must be met for the rule
+
+ 62
+ 00:03:58.620 --> 00:04:03.580
+ to run. You can build a rule expression by
+ either using the expression builder or by
+
+ 63
+ 00:04:03.580 --> 00:04:05.380
+ manually writing the rule expression.
+
+ 64
+ 00:04:05.420 --> 00:04:09.270
+ Now let's select the action we want this rule
+ to perform on matching requests.
+
+ 65
+ 00:04:09.630 --> 00:04:13.350
+ Each of the challenge actions use
+ Cloudflare's Challenge platform to verify
+
+ 66
+ 00:04:13.350 --> 00:04:15.710
+ whether a visitor to a domain is a real
+ human,
+
+ 67
+ 00:04:15.710 --> 00:04:18.070
+ and not a bot or automated script.
+
+ 68
+ 00:04:18.350 --> 00:04:22.670
+ An interactive challenge presents visitors
+ with a challenge they need to solve for the
+
+ 69
+ 00:04:22.670 --> 00:04:24.110
+ request to be successful.
+
+ 70
+ 00:04:24.150 --> 00:04:28.950
+ A JavaScript challenge asks the visitor's web
+ browser to solve a JavaScript based challenge
+
+ 71
+ 00:04:28.950 --> 00:04:32.270
+ in the background. Unlike interactive
+ challenges,
+
+ 72
+ 00:04:32.270 --> 00:04:35.630
+ this type of challenge does not require
+ interactions from a visitor.
+
+ 73
+ 00:04:35.870 --> 00:04:39.870
+ A managed challenge allows Cloudflare to
+ dynamically choose the appropriate type of
+
+ 74
+ 00:04:39.870 --> 00:04:43.510
+ challenge to present to a visitor,
+ based on the characteristics of their
+
+ 75
+ 00:04:43.510 --> 00:04:48.830
+ requests. Aside from the challenge actions,
+ we can choose block to completely block all
+
+ 76
+ 00:04:48.830 --> 00:04:54.270
+ requests that match this rule or skip to skip
+ other rules from a selection of options.
+
+ 77
+ 00:04:54.470 --> 00:04:58.390
+ Enterprise accounts also have the option to
+ log requests that match a rule.
+
+ 78
+ 00:04:58.870 --> 00:05:03.390
+ These logged requests can then be found in
+ the Security Analytics under the events tab.
+
+ 79
+ 00:05:03.470 --> 00:05:07.790
+ In this example, we're going to choose
+ Managed Challenge as the action to take on
+
+ 80
+ 00:05:07.790 --> 00:05:09.270
+ requests that match this rule.
+
+ 81
+ 00:05:09.430 --> 00:05:13.930
+ Lastly, we can use a Select Order dropdown to
+ select whether to place this rule at the
+
+ 82
+ 00:05:13.930 --> 00:05:16.250
+ beginning or end of the execution order.
+
+ 83
+ 00:05:16.250 --> 00:05:19.810
+ Rules that match a request are executed in
+ the way they're placed in,
+
+ 84
+ 00:05:19.810 --> 00:05:24.450
+ starting from one. If multiple rules match
+ with the request and a preceding rule is a
+
+ 85
+ 00:05:24.450 --> 00:05:28.850
+ terminating action, such as a block,
+ no subsequent rules will be performed.
+
+ 86
+ 00:05:29.250 --> 00:05:33.130
+ If you want to place this rule in a specific
+ place of the execution order,
+
+ 87
+ 00:05:33.130 --> 00:05:35.570
+ we can edit this after we deploy the rule.
+
+ 88
+ 00:05:35.890 --> 00:05:38.450
+ Now that we've finished building our rule,
+ select deploy.
+
+ 89
+ 00:05:38.730 --> 00:05:42.530
+ Now you're at the Security Rules Overview
+ page where you manage and create custom
+
+ 90
+ 00:05:42.530 --> 00:05:45.650
+ security rules. And here's the rule we just
+ created.
+
+ 91
+ 00:05:46.210 --> 00:05:50.970
+ If you ever want to edit a rule you created
+ or move its position in the execution order,
+
+ 92
+ 00:05:51.130 --> 00:05:54.530
+ just press the three dots to the right of the
+ rule to find these actions.
+
+ 93
+ 00:05:57.610 --> 00:06:02.170
+ Occasionally, legitimate requests may also
+ get blocked by rule from a managed rule set
+
+ 94
+ 00:06:02.170 --> 00:06:04.290
+ that's created and maintained by Cloudflare.
+
+ 95
+ 00:06:04.690 --> 00:06:06.570
+ These are known as false positives.
+
+ 96
+ 00:06:06.850 --> 00:06:10.250
+ Let's head back to the analytics page and go
+ to the events tab.
+
+ 97
+ 00:06:11.850 --> 00:06:16.550
+ Filter by action block and surface managed
+ rules.
+
+ 98
+ 00:06:16.950 --> 00:06:19.150
+ You can adjust the time frame if necessary.
+
+ 99
+ 00:06:19.550 --> 00:06:23.990
+ So in previous 24 hours,
+ if you find legitimate traffic being blocked
+
+ 100
+ 00:06:23.990 --> 00:06:27.110
+ by managed rules, don't just disable the
+ entire rule set.
+
+ 101
+ 00:06:27.110 --> 00:06:31.310
+ First, check for common properties between
+ block requests that should be allowed,
+
+ 102
+ 00:06:31.310 --> 00:06:33.710
+ such as the same path like login.
+
+ 103
+ 00:06:33.750 --> 00:06:38.750
+ Then expand the log details for any of these
+ block requests you'd like to follow and copy
+
+ 104
+ 00:06:38.750 --> 00:06:42.630
+ the rule ID. Take note of the managed Rule
+ set name to allow these requests.
+
+ 105
+ 00:06:42.630 --> 00:06:46.990
+ To bypass this rule, you can either add an
+ exception to skip the rule for request to a
+
+ 106
+ 00:06:46.990 --> 00:06:51.310
+ specific path, or you can configure an
+ override to disable the rule.
+
+ 107
+ 00:06:51.430 --> 00:06:56.430
+ Let's see how you would create an exception
+ for specific path in security rules.
+
+ 108
+ 00:06:56.430 --> 00:06:59.350
+ Select create rule. Manage rules.
+
+ 109
+ 00:07:00.950 --> 00:07:09.830
+ Enter a name for the exception in field we
+ enter URI path in operator equals in value
+
+ 110
+ 00:07:10.070 --> 00:07:15.850
+ login. Then select Skip specific rules from a
+ managed rule set and then choose Select
+
+ 111
+ 00:07:15.850 --> 00:07:19.690
+ Ruleset for the managed rule you previously
+ identified.
+
+ 112
+ 00:07:19.690 --> 00:07:24.850
+ Choose select rules. Search for the rule you
+ want to skip using the rule ID and select it
+
+ 113
+ 00:07:24.850 --> 00:07:28.330
+ using the checkbox. Select next.
+
+ 114
+ 00:07:28.970 --> 00:07:32.970
+ Review your configuration in rules being
+ skipped and select deploy.
+
+ 115
+ 00:07:34.290 --> 00:07:37.610
+ Now let's look at configuring a rule override
+ for that specific rule.
+
+ 116
+ 00:07:38.010 --> 00:07:41.450
+ The override will change the rule for all
+ incoming requests.
+
+ 117
+ 00:07:42.450 --> 00:07:46.170
+ Select the rule name to open the sidebar,
+ then select view.
+
+ 118
+ 00:07:46.170 --> 00:07:50.490
+ In Security rules, select browse rules.
+
+ 119
+ 00:07:51.490 --> 00:07:54.890
+ Search for the rule you want to skip using
+ the rule ID you copied.
+
+ 120
+ 00:07:55.450 --> 00:07:59.530
+ To disable the rule for all requests,
+ set the status to off.
+
+ 121
+ 00:08:00.130 --> 00:08:02.330
+ Select next and then save.
+
+ 122
+ 00:08:02.690 --> 00:08:06.370
+ This keeps your overall protection in place
+ while allowing valid traffic through for
+
+ 123
+ 00:08:06.370 --> 00:08:11.090
+ known cases. You can now set up application
+ security features to protect your domains and
+
+ 124
+ 00:08:11.090 --> 00:08:15.890
+ applications. For more information,
+ please refer to our developer documentation.
\ No newline at end of file