diff --git a/rules/cloudflare_rules/cloudflare_firewall_ddos.yml b/rules/cloudflare_rules/cloudflare_firewall_ddos.yml
index ec34e16da..71fa1ba75 100644
--- a/rules/cloudflare_rules/cloudflare_firewall_ddos.yml
+++ b/rules/cloudflare_rules/cloudflare_firewall_ddos.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Medium
 Description: Layer 7 Distributed Denial of Service (DDoS) detected
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://www.cloudflare.com/en-gb/learning/ddos/application-layer-ddos-attack/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  100
 SummaryAttributes:
diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml
index 413c82cd8..0d69eba16 100644
--- a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml
+++ b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml
@@ -10,6 +10,7 @@ Tags:
 Severity: Low
 Description: Monitors high volume events blocked from the same IP
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://developers.cloudflare.com/firewall/cf-firewall-rules/actions/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  200
 SummaryAttributes:
diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml
index f844dea1f..f10004a9e 100644
--- a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml
+++ b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Info
 Description: Monitors high volume events blocked from the same IP enriched with GreyNoise
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  200
 SummaryAttributes:
diff --git a/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml
index 2e20b57fd..3d12f14e7 100644
--- a/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml
+++ b/rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Medium
 Description: Monitors for non-blocked requests from Greynoise identified malicious IP Addresses
 Runbook: Inspect resources accessed for malicious behavior
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  1
 SummaryAttributes:
diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml
index f7396f2d5..2ee6dcd13 100644
--- a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml
+++ b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml
@@ -10,6 +10,7 @@ Tags:
 Severity: Low
 Description: Monitors for bots making HTTP Requests at a rate higher than 2req/sec
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes:
diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml
index f7100ad28..5ea80a896 100644
--- a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml
+++ b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Low
 Description: Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment
 Runbook: Inspect and monitor internet-facing services for potential outages
+Reference: https://docs.greynoise.io/docs/understanding-greynoise-enrichments
 DedupPeriodMinutes: 60 # 1 hour
 Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes: