Add references to rules (cloudflare_rules)

panther-labs · Dec 11, 2023 · caa1503 · caa1503
1 parent bb28242
commit caa1503
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 0 deletions.
diff --git a/rules/cloudflare_rules/cloudflare_firewall_ddos.yml b/rules/cloudflare_rules/cloudflare_firewall_ddos.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Medium
 Description: Layer 7 Distributed Denial of Service (DDoS) detected
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://www.cloudflare.com/en-gb/learning/ddos/application-layer-ddos-attack/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  100
 SummaryAttributes:

diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml
@@ -10,6 +10,7 @@ Tags:
 Severity: Low
 Description: Monitors high volume events blocked from the same IP
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  200
 SummaryAttributes:

diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Info
 Description: Monitors high volume events blocked from the same IP enriched with GreyNoise
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  200
 SummaryAttributes:

diff --git a/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Medium
 Description: Monitors for non-blocked requests from Greynoise identified malicious IP Addresses
 Runbook: Inspect resources accessed for malicious behavior
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  1
 SummaryAttributes:

diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml
@@ -10,6 +10,7 @@ Tags:
 Severity: Low
 Description: Monitors for bots making HTTP Requests at a rate higher than 2req/sec
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes:

diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Low
 Description: Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes: