[Docs] Security level follow-up changes (cloudflare#20923)

* Replace custom rules use case
* Update examples
* Remove outdated content
* Update config rules setting from Security Level to I'm Under Attack

Author: pedrosousa

public/_redirects

@@ -1395,6 +1395,7 @@
 /waf/custom-rules/manage-dashboard/ /waf/custom-rules/create-dashboard/ 301
 /waf/security-analytics/ /waf/analytics/security-analytics/ 301
 /waf/custom-rules/use-cases/require-valid-hmac-token/ /waf/custom-rules/use-cases/configure-token-authentication/ 301
+/waf/custom-rules/use-cases/block-ip-reputation/ /waf/custom-rules/use-cases/block-attack-score/ 301
 /waf/tools/scrape-shield/server-side-excludes/ /waf/tools/scrape-shield/ 301
 /waf/rate-limiting-rules/create-account-dashboard/ /waf/account/rate-limiting-rulesets/create-dashboard/ 301
 /waf/managed-rules/deploy-account-dashboard/ /waf/account/managed-rulesets/deploy-dashboard/ 301

src/content/docs/analytics/account-and-zone-analytics/threat-types.mdx

@@ -2,7 +2,6 @@
 pcx_content_type: reference
 source: https://support.cloudflare.com/hc/en-us/articles/204191238-What-are-the-types-of-Threats-
 title: Threat types
-
 ---
 
 Cloudflare classifies the threats that it blocks or challenges. To help you understand more about your site’s traffic, the “Type of Threats Mitigated” metric on the analytics page measures threats blocked or challenged by the following categories:
@@ -21,19 +20,19 @@ Cloudflare's [Browser Integrity Check](/waf/tools/browser-integrity-check/) look
 
 Visitors were presented with an interactive challenge page and failed to pass.
 
-*Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked.*
+_Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked._
 
 ## Browser challenge
 
 A bot gave an invalid answer to the JavaScript challenge (in most cases this will not happen, bots typically do not respond to the challenge at all, so "failed" JavaScript challenges would not get logged).
 
-*Note: During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor.*
+_Note: During a JavaScript challenge you will be shown an interstitial page for about five seconds while Cloudflare performs a series of mathematical challenges to make sure it is a legitimate human visitor._
 
 ## Bad IP
 
-A request that came from an IP address that is not trusted by Cloudflare based on the Threat Score.
+A request that came from an IP address that is not trusted by Cloudflare based on the threat score.
 
-Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity. Site owners may override the Threat Score at any time using Cloudflare's security settings.
+Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
 
 ## Country block
 
@@ -59,14 +58,14 @@ A /24 IP range that was blocked based on the [user configuration](/waf/tools/ip-
 
 Requests made by a bot that failed to pass the challenge.
 
-*Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked.*
+_Note: An interactive challenge page is a difficult to read word or set of numbers that only a human can translate. If entered incorrectly or not answered in a timely fashion, the request is blocked._
 
 ## Bot Request
 
 Request that came from a bot.
 
 ## Unclassified
 
-Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on Cloudflare's global network based on the composition of the request (and not its content).
+Unclassified threats comprises a number of automatic blocks that are not related to the Browser Integrity Challenge (Bad Browser). These threats usually relate to Hotlink Protection, and other actions that happen on Cloudflare's global network based on the composition of the request (and not its content).
 
 Unclassified means a number of conditions under which we group common threats related to Hotlink Protection as well as certain cases of IP reputation and specific requests that are blocked at Cloudflare's global network before reaching your servers.

src/content/docs/analytics/account-and-zone-analytics/total-threats-stopped.mdx

@@ -2,15 +2,14 @@
 pcx_content_type: reference
 source: https://support.cloudflare.com/hc/en-us/articles/204964927-How-does-Cloudflare-calculate-Total-threats-stopped-
 title: Total threats stopped
-
 ---
 
 Total Threats Stopped measures the number of “suspicious” and “bad” requests that were aimed at your site. Requests receive these labels by our IP Reputation Database as they enter Cloudflare’s network:
 
-* **Legitimate:** request pass directly to your site
-* **Suspicious:** request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/)
-* **Bad:** request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
+- **Legitimate:** Request passed directly to your site.
+- **Suspicious:** Request has been challenged with a [Cloudflare challenge](/waf/reference/cloudflare-challenges/).
+- **Bad:** Request has been blocked because our Browser Integrity Check, or because of user configured settings like WAF rules or IP range block.
 
-Cloudflare uses Threat Scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the Threat Score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
+Cloudflare uses threat scores gathered from sources such as Project Honeypot, as well as our own communities' traffic to determine whether a visitor is legitimate or malicious. When a legitimate visitor passes a challenge, that helps offset the threat score against the previous negative behavior seen from that IP address. Our system learns who is a threat from this activity.
 
 In addition to threat analytics you can also monitor search engine crawlers going to your websites. For most websites, threats and crawlers make up 20% to 50% of traffic.

src/content/docs/bots/concepts/bot-score/index.mdx

@@ -3,18 +3,17 @@ pcx_content_type: concept
 title: Bot scores
 sidebar:
   order: 2
-
 ---
 
-import { GlossaryTooltip, Render } from "~/components"
+import { GlossaryTooltip, Render } from "~/components";
 
 <Render file="bot-score-definition" />
 
 Bot scores are available to be used in rule expressions and with Workers to customize application behavior. For more details, refer to [Bot Management variables](/bots/reference/bot-management-variables/).
 
 :::note
 
-Granular bot scores are only available to Enterprise customers who have purchased Bot Management. All other customers can only access this information through [bot groupings](#bot-groupings) in Bot Analytics. 
+Granular bot scores are only available to Enterprise customers who have purchased Bot Management. All other customers can only access this information through [bot groupings](#bot-groupings) in Bot Analytics.
 :::
 
 ## Bot groupings
@@ -32,7 +31,7 @@ Bot scores are not computed for requests to paths that are handled by Cloudflare
 
 :::note
 
-The following detection engines only apply to Enterprise Bot Management. For specific details about the engines included in your plan, refer to [Plans](/bots/plans/). 
+The following detection engines only apply to Enterprise Bot Management. For specific details about the engines included in your plan, refer to [Plans](/bots/plans/).
 :::
 
 <Render file="bm-bot-detection-engines" />
@@ -48,7 +47,3 @@ The following detection engines only apply to Enterprise Bot Management. For spe
 ### Notes on detection
 
 <Render file="bots-cookie" />
-
-## Comparison to Threat Score
-
-Bot Score is different from <GlossaryTooltip term="threat score">Threat Score</GlossaryTooltip>. Bot Score identifies bots and Threat Score measures IP reputation across our services. Most customers achieve the best results by relying on bot scores and avoiding IP reputation entirely.

src/content/docs/bots/troubleshooting.mdx

@@ -71,17 +71,6 @@ Yes. WAF rules are executed before Super Bot Fight Mode. If a WAF custom rule pe
 
 ---
 
-## What is the difference between the threat score and bot management score?
-
-The difference is significant:
-
-- Threat score (_cf.threat_score_) is what Cloudflare uses to determine IP Reputation. It goes from 0 (good) to 100 (bad).
-- Bot management score (_cf.bot_management.score_) is what Cloudflare uses in Bot Management to measure if the request is from a human or a script. The scores range from 1 (bot) to 99 (human). Lower scores indicate the request came from a script, API service, or an automated agent. Higher scores indicate that the request came from a human using a standard desktop or mobile web browser.
-
-These fields are available via [WAF custom rules](/waf/custom-rules/) and other products based on the Ruleset Engine.
-
----
-
 ## What is cf.bot_management.verified_bot?
 
 A request's _cf.bot_management.verified_bot_ value is a boolean indicating whether such request comes from a Cloudflare allowed bot.

src/content/docs/fundamentals/trace-request/how-to.mdx

@@ -9,10 +9,9 @@ head:
   - tag: title
     content: How to - Cloudflare Trace (beta)
 description: Learn how to use Cloudflare Trace in the dashboard and with the API.
-
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
 
 ## Use Trace in the dashboard
 
@@ -27,18 +26,18 @@ import { GlossaryTooltip } from "~/components"
 
 2. Enter a URL to trace. The URL must include a hostname that belongs to your account.
 
-3. Select an HTTP method. If you select *POST*, *PUT*, or *PATCH*, you should enter a value in **Request body**.
+3. Select an HTTP method. If you select _POST_, _PUT_, or _PATCH_, you should enter a value in **Request body**.
 
 4. (Optional) Define any custom request properties to simulate the conditions of a specific HTTP/S request. You can customize the following request properties:
 
-   * **Protocol** (HTTP protocol version)
-   * **Request headers**
-   * **Cookies**
-   * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
-   * [**Bot score**](/bots/concepts/bot-score/)
-   * <GlossaryTooltip term="threat score" link="/ruleset-engine/rules-language/fields/reference/cf.threat_score/">**Threat score**</GlossaryTooltip>
-   * **Request body** (for `POST`, `PUT`, and `PATCH` requests)
-   * **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
+   - **Protocol** (HTTP protocol version)
+   - **Request headers**
+   - **Cookies**
+   - **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
+   - [**Bot score**](/bots/concepts/bot-score/)
+   - **Threat score**
+   - **Request body** (for `POST`, `PUT`, and `PATCH` requests)
+   - **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
 
 5. Select **Send trace**.
 
@@ -48,7 +47,7 @@ The **Trace results** page shows all evaluated and executed configurations from
 
 1. Analyze the different [steps](#steps-in-trace-results) with evaluated and executed configurations for the current trace. Trace results include matches for all active rules and configurations, whether configured at the account level or for a specific domain or subdomain.
 
-   To show all configurations, including the ones that did not match the request, select *All configurations* in the **Results shown** dropdown.
+   To show all configurations, including the ones that did not match the request, select _All configurations_ in the **Results shown** dropdown.
 
 2. (Optional) Update your Cloudflare configuration (at the account or at the domain/subdomain level) and create a new trace to check the impact of your changes.
 
@@ -63,10 +62,10 @@ To run a trace later with the same configuration:
 
 Use the [Request Trace](/api/resources/request_tracers/subresources/traces/methods/create/) operation to perform a trace using the Cloudflare API.
 
-***
+---
 
 ## Steps in trace results
 
-* Execution of one or more rules of Cloudflare products built on the [Ruleset Engine](/ruleset-engine/). Refer to the Ruleset Engine's [Phases list](/ruleset-engine/reference/phases-list/) for a list of such products.
-* [Page Rules](/rules/page-rules/): Execution of one or more rules.
-* [Workers](/workers/): Execution of one or more scripts.
+- Execution of one or more rules of Cloudflare products built on the [Ruleset Engine](/ruleset-engine/). Refer to the Ruleset Engine's [Phases list](/ruleset-engine/reference/phases-list/) for a list of such products.
+- [Page Rules](/rules/page-rules/): Execution of one or more rules.
+- [Workers](/workers/): Execution of one or more scripts.

src/content/docs/learning-paths/prevent-ddos-attacks/advanced/customize-security.mdx

@@ -3,17 +3,15 @@ title: Customize Cloudflare security
 pcx_content_type: learning-unit
 sidebar:
   order: 3
-
 ---
 
 Another way of reducing origin traffic is customizing the Cloudflare WAF and other security features. The fewer malicious requests that reach your application, the fewer that could reach (and overwhelm) your origin.
 
 To reduce incoming malicious requests, you could:
 
-* Create [WAF custom rules](/waf/custom-rules/) for protection based on specific aspects of incoming requests.
-* Adjust DDoS rules to handle [false negatives and false positives](/ddos-protection/managed-rulesets/adjust-rules/).
-* Build [rate limiting rules](/waf/rate-limiting-rules/) to protect against specific patterns of requests.
-* Enable [bot protection](/bots/get-started/) or set up [Bot Management for Enterprise](/bots/get-started/bm-subscription/) to protect against automated abuse.
-* Explore [network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/).
-* Configure your zone's [Security Level](/waf/tools/security-level/) globally or selectively (depending on your needs).
-* Review the rest of Cloudflare's [security options](/learning-paths/application-security/account-security/).
+- Create [WAF custom rules](/waf/custom-rules/) for protection based on specific aspects of incoming requests.
+- Adjust DDoS rules to handle [false negatives and false positives](/ddos-protection/managed-rulesets/adjust-rules/).
+- Build [rate limiting rules](/waf/rate-limiting-rules/) to protect against specific patterns of requests.
+- Enable [bot protection](/bots/get-started/) or set up [Bot Management for Enterprise](/bots/get-started/bm-subscription/) to protect against automated abuse.
+- Explore [network-layer DDoS attack protection](/ddos-protection/managed-rulesets/network/).
+- Review the rest of Cloudflare's [security options](/learning-paths/application-security/account-security/).

src/content/docs/network/onion-routing.mdx

@@ -14,30 +14,24 @@ Improve the Tor user experience by enabling Onion Routing, which enables Cloudfl
 
 ## How it works
 
-Due to the behavior of some individuals using the Tor network (spammers, distributors of malware, attackers), the IP addresses of Tor exit nodes may earn a bad reputation, elevating their Cloudflare threat score.
-
-Our [basic protection level](/waf/tools/security-level/) issues challenges to visitors whose IP address has a high threat score, depending on the level chosen by the Cloudflare customer.
-
-One way to address this threat score is to create [custom WAF rules](/waf/custom-rules/). Cloudflare assigns the two-letter code `T1` for Tor.  There's no geographical country associated with these IPs, but this approach lets Cloudflare customers override the default Cloudflare threat score to define the experience for their Tor visitors. Cloudflare updates its list of Tor exit node IP addresses every hour.
-
-The other way to improve the Tor user experience is through Onion Routing. This improves Tor browsing as follows:
+Onion Routing helps improve Tor browsing as follows:
 
 - Tor users no longer access your site via exit nodes, which can sometimes be compromised, and may snoop on user traffic.
 - Human Tor users and bots can be distinguished by our Onion services, such that interactive challenges are only served to malicious bot traffic.
 
 [Tor Browser](https://tb-manual.torproject.org/about/) users receive an [alt-svc header](https://httpwg.org/specs/rfc7838.html#alt-svc) as part of the response to the first request to your website. The browser then creates a Tor Circuit to access this website using the `.onion` TLD service provided by this header.
 
-You should note that the visible domain in the UI remains unchanged, as the host header and the SNI are preserved. However, the underlying connection changes to be routed through Tor, as the [UI denotes on the left of the address bar](https://tb-manual.torproject.org/managing-identities/#managing-identities) with a Tor Circuit. Cloudflare does not provide a certificate for the `.onion` domain provided as part of alt-svc flow, which therefore cannot be accessed via HTTPS.
+You should note that the visible domain in the user interface remains unchanged, as the host header and the SNI are preserved. However, the underlying connection changes to be routed through Tor, as the [UI denotes on the left of the address bar](https://tb-manual.torproject.org/managing-identities/#managing-identities) with a Tor Circuit. Cloudflare does not provide a certificate for the `.onion` domain provided as part of alt-svc flow, which therefore cannot be accessed via HTTPS.
 
 ## Enable Onion Routing
 
 <Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
 To enable **Onion Routing** in the dashboard:
 
-1. Log in to your [Cloudflare account](https://dash.cloudflare.com) and go to a specific domain.
-2. Go to **Network**.
-3. For **Onion Routing**, switch the toggle to **On**.
+1. Log in to your [Cloudflare account](https://dash.cloudflare.com), and select your account and domain.
+2. Go to **Network**.
+3. For **Onion Routing**, switch the toggle to **On**.
 
 </TabItem> <TabItem label="API">
 

src/content/docs/rules/configuration-rules/settings.mdx

@@ -262,26 +262,21 @@ API configuration property name: `"rocket_loader"` (boolean).
 
 </Details>
 
-## Security Level
+## I'm Under Attack
 
-[Security Level](/waf/tools/security-level/) controls Managed Challenges for requests from low reputation IP addresses.
+When enabled, [Under Attack mode](/fundamentals/reference/under-attack-mode/) performs additional security checks to help mitigate layer 7 DDoS attacks. Validated users access your website and suspicious traffic is blocked.
 
-On the Cloudflare dashboard, you can turn Under Attack mode on or off. 
-
-- Off
-- I'm Under Attack
-
-Refer to [Under Attack mode](/fundamentals/reference/under-attack-mode/) for more information.
+Use this setting to turn on or off Under Attack mode for matching requests.
 
 <Details header="API information">
 
 API configuration property name: `"security_level"` (string).
 
-API values: `"off"`, `"essentially_off"`, `"low"`, `"medium"`, `"high"`, `"under_attack"`.
+API values: `"off"`, `"essentially_off"`, `"under_attack"`.
 
 ```json title="API configuration example"
 "action_parameters": {
-  "security_level": "low"
+  "security_level": "under_attack"
 }
 ```