This alert detects when a new host is requested by the client. Please note that this alert will be active (after being deployed) after the configured alert time window which in this case is 7 days. This is in order for the algorithm to train on the new values for the key tracked, capture the baseline as well as prevent false notifications. Impact After threat actors have gained access to your account, they can request new hosts on behalf of the legit users and can further perform malicious operations. Mitigation Check with the user who initiated this request. If the user is unaware of the activity, investigate it further. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when the 5xx origin response error codes exceed 5% of the total count of origin response status codes in 30 minutes. In other words, this alert will calculate the ratio between error code 5xx to the overall number of response codes in 30 minutes. If the ratio exceeds 5%, it will then be triggered. Here, the origin response indicates that the error response was generated by your origin web server. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. Please see the below link for more details on the mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 5xx edge response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The edge response status code is an HTTP response code sent from Cloudflare to the client (end user). Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 5xx edge response, over 5% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Check the exact status code generated and investigate it further to understand its cause. Please see the below link for detailed mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 4xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The origin response status code is an HTTP response code sent from the origin server to Cloudflare. Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 4xx origin response, over 15% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive number of 4xx status codes could impact the normal business operations of an organization. Usually, the purpose behind this kind of attack is to tarnish the image of an organization by making its web servers inaccessible to legitimate users. Mitigation Check the exact status code generated and investigate it further to understand its cause. Please see the below link for detailed mitigations for different 4xx errors: https://community.cloudflare.com/t/community-tip-fixing-4xx-errors/68457 MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 4xx edge response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. The edge response status code is an HTTP response code sent from Cloudflare to the client (end user). Note: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 4xx edge response, over 15% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive number of 4xx edge responses within a specific interval indicates that a threat actor is sending malicious/bad requests and could indicate a DoS/DDoS kind of attack. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further. MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 5xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Here, the origin response indicates that the error response was generated by your origin web server.nnNote: Since this alert will start alerting only after 1 week of being deployed, users can also make use of the similar alert 'Cloudflare - High error ratio of 5xx origin response, over 5% in 30min'. This alert will start alerting on the anomalies right after being deployed. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. Please see the below link for more details on the mitigations for different 5xx errors: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects high volume of bot requests. A bot is an autonomous program on a network that can interact with computer systems or users, imitating or replacing a human user's behavior, and performing repetitive tasks. Bots can be divided into 2 categories: 1. Good bots - bots that are useful to businesses they interact with, e.g. search engine bots like Googlebot, Bingbot, or bots that operate on social media platforms like Facebook Bot. 2. Bad bots - bots that are designed to perform malicious actions, ultimately hurting businesses, e.g. credential stuffing bots, third-party scraping bots, spam bots, etc. Impact Threat actors can send a high volume of bot requests to the web servers to either disrupt the normal operations of a business or to extract confidential information. Mitigation Check the nature of the bot. If the bot is not from the good bots category, investigate it further. MITRE Tactic: TA0042 MITRE Technique: T1583

This alert detects when there are no logs seen from Cloudflare to the user account. Impact An adversary may disable logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Mitigation Investigate the root cause of this behavior and re-enable the logging, if it is disabled. Additionally, administrators can manage policies to ensure only necessary users have permission to make changes to logging policies. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects whenever the account-wide API token is viewed. API keys are the previous/legacy authorization scheme for interacting with the Cloudflare API. Cloudflare recommends using API tokens instead of API keys when possible. Cloudflare provides two types of API keys: Global API Key: Serves as your main API key. Origin CA Key: Only used when creating origin certificates using the API. Impact If a threat actor has access to your account, they can view the API key and use it to perform further malicious activities. Please see the below link for more details on the limitations associated with API keys: https://developers.cloudflare.com/fundamentals/api/get-started/keys/ Mitigation Check with the user who viewed the API key to validate the action. If the user is unaware of the activity, investigate it further. MITRE Tactic: TA0104 MITRE Technique: T0871

This alert detects when a Cloudflare user API token is rolled. If your token is lost or compromised, you can either create a new token or roll your token to generate a new secret. Rolling your API token into a new one will invalidate the previous token, but the access and permissions will be the same as the previous API token. Impact Rolling API token action could indicate that either the API token was lost or compromised. If the token was compromised, an attacker could leverage it to perform malicious operations. Mitigation Investigate the reasoning behind rolling an API token. If the token was indeed compromised, investigate the actions performed further by the threat actor. If the token was lost, check with the user responsible and investigate further. MITRE Tactic: TA0031 MITRE Technique: T1635

This alert detects when a Cloudflare user API token is created. Using the Cloudflare API requires authentication so that Cloudflare knows who is making requests and what permissions you have. Impact After a threat actor has gained access to an account they can then create API tokens without your knowledge and can perform further malicious operations to maintain persistence, exfiltrate information, and so on. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. MITRE Tactic: TA0004 MITRE Technique: T1134

This alert detects every time an existing Cloudflare worker is updated. A Cloudflare worker is a platform for enabling serverless functions to run as close as possible to the end user. Impact If a threat actor has gained initial access to a Cloudflare account they can update the existing legitimate workers by replacing the existing scripts/code with their malicious scripts to maintain persistence in the network or for C2 communication. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert detects every time a new worker is created. A Cloudflare worker is a platform for enabling serverless functions to run as close as possible to the end user. Impact If a threat actor has gained initial access to a Cloudflare account they can create malicious workers to establish persistence and exfiltrate sensitive data. Mitigation Validate if this action was legitimate. If not, revert the change and investigate it further. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert detects when a user reset the password by selecting the 'Forgot your password?' option on the account login page. Impact Threat actors can reset the user password and make the accounts inaccessible to legitimate users. This way adversaries may interrupt the availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Mitigation Check if the user is aware of this activity. If not, reset the password and investigate the action further. Make sure to enable multi-factor authentication for user and privileged accounts. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert will trigger in an event of a large amount of logs containing Cloudflare WAF SQLi Attack Score values that indicate an attack (score between 1 to 20) Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

This alert detects when a successful HTTP GET request (2XX response) targets a URL that ends with a set of specific file extension (such as txt files) that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the mentioned file extensions). File extensions can be added/removed and match condition can be tuned to lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for individuals and organizations, which can result in a data and privacy breach. Mitigation Investigate URLs and confirm whether they are legitimate and part of the web application normal operation and purpose. If not, consider blocking the client IP on the WAF MITRE Tactic: TA0009 MITRE Technique: T1048

This alert detects when a Cross Site Scripting (XSS) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent XSS attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when an SQL Injection (SQLi) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent SQLi attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

This alert detects when a Remote Code Execution (RCE) attack may take place, based on triggered Cloudflare WAF rules that contain a certain set of keywords that represent RCE attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

This alert detects based on specific logic that may indicate that the Cloudflare WAF is NOT BLOCKING potentially malicious requests, based Cloudflare WAF Attack Score indicating an attack. The alert will trigger if WAF Action is "unknown" AND NOT "simulate" AND WAF Attack Score is between 1 and 50, indicating an attack or likely attack. Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact Context dependent, in most cases this alert can show payloads that bypass the Cloudflare WAF or a zero day attack. Mitigation Investigate further by examining the source IPs, request URLs and edge and origin response codes.

This alert will trigger in an event of a large amount of logs containing Cloudflare WAF XSS Attack Score values that indicate an attack (score between 1 to 20) Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert will trigger in an event of a large amount of logs containing Cloudflare WAF RCE Attack Score values that indicate an attack (score between 1 to 20) Read more about the Cloudflare WAF Attack Score here: https://developers.cloudflare.com/waf/about/waf-attack-score/ PLEASE NOTE: This alert will only trigger if your Cloudflare plan is at least at Enterprise level. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

This alert fires when logs containing triggered Cloudflare WAF rules have any mention of a CVE over a determined period of time in the context of a single IP address. Impact Depending on mentioned CVE, requires investigation. Mitigation Validate the requests intercepted at the Cloudflare edge. If they seem suspicious, investigate further by examining the source IPs, request URLs and edge and origin response codes.

This alert triggers when a possible brute force attack is performed against a login page. Brute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as: Account compromise, Privilege escalation, Data breach, Resource exhaustion, Weakened security posture. Mitigation If the the aggregated logs show actual login URLs that match your web applications login, check if the requests intercepted at the Cloudflare edge. If not, consider blocking the offending IP on the Cloudflare WAF. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when a high number of REFUSED response code is returned as a result of DNS queries made. REFUSED response code indicates that the DNS query failed because the server refused to answer the query. This could be due to policy reasons. Impact A high number of REFUSED responses by DNS servers could be due to policy reasons. For example, a particular device may be blocked if it is abusing the nameserver, or a particular operation, such as a zone transfer, might be forbidden. nA zone transfer is a way of replicating DNS configuration information across multiple DNS servers for load balancing or backup. Usually, only an authorized person can complete a zone transfer. If a user tries to initiate one but they're not authorized, then this would be the response code they would get. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of REFUSED responses. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004"

This alert detects when a high number of SERVFAIL response code is returned as a result of DNS queries made. SERVFAIL response code is an indication of Server failure. This could be due to that there is a technical problem with the DNS servers. Impact A high number of SERVFAIL responses by DNS servers could indicate that security control on your network, such as a firewall or intrusion prevention system, is blocking a user from going to that domain. Much like NXDOMAIN, excessive SERVFAIL responses should be investigated for malicious activities. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of SERVFAIL responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ https://blog.cloudflare.com/unwrap-the-servfail/ MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004

This alert detects when a high number of NXDOMAIN response code is returned as a result of DNS queries made. NXDOMAIN response code indicates that the queried domain is non-existent. Impact A high number of NXDOMAIN responses by DNS servers is can be an indication of a DGA (Domain Generation Algorithms) activity. DGA is used by attackers to generate random domain names to obfuscate the communication of their malware to the command and control server. DGA activity might indicate a malware infection in your network trying to communicate with the attacker C&C server. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of NXDOMAIN responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004

This alert detects when a high number of DNS queries are seen from a host with uncommon record types such as TXT, PTR, and NULL. TXT: Indicates a Text record. These records are often used for email security. PTR: Provides a domain name in reverse-lookups. NULL: Indicates a null resource record. Impact Threat actors may utilize less common record types for their C2 channels to support different commands or functions. For example, a C2 channel may utilize TXT requests to retrieve additional information, malware, or commands to execute. Mitigation Investigate the hosts querying the domains with a high number of these uncommon record types. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004

This alert detects when a A record was deleted. The main use of A record is for IPv4 address lookup. Using an A record, a web browser is able to load a website using the domain name. Impact With a A record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Deleting an A record could disrupt DNS Name resolution and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a NS record was deleted. A nameserver (NS) record specifies the authoritative DNS server for a domain. In other words, the NS record helps point to where internet applications like a web browser can find the IP address for a domain name. Usually, multiple nameservers are specified for a domain. Impact Deleting a NS record can disrupt normal network naming resolution for the relevant domain. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a AAAA record was deleted. The main use of AAAA records is for IPv6 address lookup. Using an AAAA record, a web browser is able to load a website using the domain name. With a AAAA record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Impact Deleting a AAAA record can disrupt DNS Name resolution and normal network operations for the relevant domain. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a PTR record was deleted. Pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of a A record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name. Impact Deleting a PTR record can remove email anti-spam definitions or harm email delivery troubleshooting issues. It can also harm the logging on DNS traffic as PTR are used to convert IPs to a human readable domain name format. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a TXT record was deleted. TXT records are a type of DNS record that contains text information for sources outside of your domain. You add these records to your domain settings. You can use TXT records for various purposes as verifying domain ownership or Email security (as DKIM and SPF records). Impact Deleting a TXT record can remove email security definitions or harm the domain ownership verification which will lead to disruption of normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a MX record was deleted. A mail exchange (MX) record, is a DNS record type that shows where emails for a domain should be routed to. In other words, an MX record makes it possible to direct emails to a mail server. Impact Deleting a MX record can disrupt normal Email operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a CAA record was deleted. CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Impact With a CAA record, An adversary can point existing certificate approval requests to an attacker controlled CA. Changing a CAA record could also disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a CNAME record was deleted. CNAME - or, in full, "canonical name" - is a DNS record that points a domain name (an alias) to another domain. In a CNAME record, the alias doesn't point to an IP address. And the domain name that the alias points to is the canonical name. Impact Deleting a CNAME record could disrupt DNS Name resolutions and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a AAAA record was created or updated. The main use of AAAA records is for IPv6 address lookup. Using an AAAA record, a web browser is able to load a website using the domain name. Impact With a AAAA record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Changing a AAAA record could also disrupt DNS Name resolution and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a TXT record was created or updated. TXT records are a type of DNS record that contains text information for sources outside of your domain. You add these records to your domain settings. You can use TXT records for various purposes as verifying domain ownership or Email security (as DKIM and SPF records). Impact With a TXT record, an adversary can change email security definitions or harm the domain ownership verification. Changing a TXT record could disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a MX record was created or updated. A mail exchange (MX) record, is a DNS record type that shows where emails for a domain should be routed to. In other words, an MX record makes it possible to direct emails to a mail server. Impact With a MX record, an adversary can disrupt normal Email operations or point existing email delivery in the network to an attacker controlled Email server. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a PTR record was created or updated. Pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of a A record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name. Impact With a PTR record, an adversary can change email anti-spam definitions or harm email delivery troubleshooting issues. He can also harm the logging on DNS traffic as PTR are used to convert IPs to a human readable domain name format. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a CNAME record was created or updated. CNAME - or, in full, "canonical name" - is a DNS record that points a domain name (an alias) to another domain. In a CNAME record, the alias doesn't point to an IP address. And the domain name that the alias points to is the canonical name. Impact With a CNAME record, An adversary can create a custom domain or point existing domains to an attacker controlled host. Changing a CNAME record could also distrupt DNS Name resolutions and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert detects when a NS record was created or updated. A nameserver (NS) record specifies the authoritative DNS server for a domain. In other words, the NS record helps point to where internet applications like a web browser can find the IP address for a domain name. Usually, multiple nameservers are specified for a domain. Impact With a NS record, an adversary can disrupt normal network naming resolution or point existing naming resolution in the network to an attacker controlled nameserver. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

This alert is triggered in a case where a new Cloudflare Certificate Pack is created by a user. Certificate pack is a group of SSL/TLS certificates that share the same set of hostnames. Impact The risk of a Cloudflare Certificate Pack being created by an attacker is a serious security concern as it can lead to the issuance of fraudulent SSL/TLS certificates for the target domain. If an adversary gains unauthorized access to Cloudflare's systems or API and creates a malicious certificate pack, they can potentially perform man-in-the-middle (MITM) attacks, intercept encrypted communication, and compromise the confidentiality and integrity of sensitive data transmitted between the users and the web application. Mitigation Verify which certificate pack was issued and whether the action was performed by a legitimate user. MITRE Tactic: TA0040 MITRE Technique: T1199

This alert detects when a Cloudflare Firewall rule was created or updated. Impact The risk of an unauthorized firewall rule being added is a potential security vulnerability that can lead to unintended consequences and potentially expose the web application or infrastructure to new threats. For instance, an attacker can create a new firewall rule that allows or denies traffic to specific IPs or countries, in order bypass security measures, redirect traffic to malicious sites or disable legitimate security rules, thereby compromising the availability, confidentiality, and integrity of the web application or service. Mitigation Validate that the action was authorized and revert changes if not. Ensure the firewall and the network range are scoped properly. Ensure the user who created the rule has the correct privileges to create or modify a firewall rule. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 007

This alert is triggered in a case where a Cloudflare Certificate Pack is about to expire or had expired. Certificate pack is a group of SSL/TLS certificates that share the same set of hostnames. Impact When an SSL/TLS certificate issued by Cloudflare expires, the browser will display security warnings to users, potentially deterring them from accessing the website due to perceived security risks. This can result in a significant loss of user trust and credibility for the organization. Mitigation Make sure to keep your SSL/TLS certificates valid and updated. MITRE Tactic: TA0040 MITRE Technique: T1199

This alert is triggered in a case where a Cloudflare Certificate Pack delete is requested by a user. Certificate pack is a group of SSL/TLS certificates that share the same set of hostnames. Impact The deletion of certificate packs can lead to the unauthorized removal of SSL/TLS certificates for the target domain. If an adversary gains unauthorized access to Cloudflare's systems or API and requests the deletion of critical certificate packs, it can have severe consequences. The impact includes the disruption of encrypted communication between users and the web application, resulting in potential data breaches, loss of trust from users, and reputation damage for the organization. Mitigation Verify whether the action was performed by a legitimate user. MITRE Tactic: TA0040 MITRE Technique: T1199

This alert will trigger when a Cloudflare Firewall rule is deleted. Impact The risk of a Cloudflare firewall rule being deleted is a significant security concern as it can lead to a loss of critical protection for the web application or infrastructure. If an attacker gains unauthorized access to the Cloudflare dashboard or API and deletes essential firewall rules, it can result in severe consequences. Without the proper protection in place, the web application becomes vulnerable to various attacks. Mitigation Validate that the action was authorized and revert changes if not. Ensure the user who deleted the firewall has the correct privileges for the action. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert detects when a CAA record was created or updated. CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Impact With a CAA record, An adversary can point existing certificate approval requests to an attacker controlled CA. Changing a CAA record could also disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Cloudflare. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

'Summary This alert triggers when Cloudflare detects a Layer 7 DDoS (L7 DDoS) attack. Cloudflare''s Layer 7 Distributed Denial of Service (L7 DDoS) protection detects and mitigates attacks targeting the application layer of a web application. These attacks aim to overwhelm the application or its infrastructure by flooding it with a high volume of HTTP requests. Impact Layer 7 DDoS attacks aim to make web applications unavailable by overwhelming the server with requests. This can lead to significant downtime, affecting the availability of the service to legitimate users. Mitigation - Activate DDoS Mitigation Tools: Use DDoS mitigation tools or services to filter and block malicious traffic. - Investigate IP Addresses: Investigate the IP addresses triggering the DDoS attack. - Analyze WAF Logs: Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. - Block Offending IPs: Consider temporarily blocking the offending IP addresses if the activity appears malicious. - Update WAF Rules: Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE ATT&CK Framework Tactic: TA0040 Technique:T1498'

Alert Description: This alert triggers when Cloudflare's Web Application Firewall (WAF) logs multiple distinct "unknown" actions from a single IP address within a short timeframe. Note: Fine-tune the threshold based on your environment's traffic patterns. Impact: Successful exploitation of an unknown vulnerability or misconfiguration could lead to data breaches, service disruptions, or unauthorized access. Multiple distinct "unknown" actions from the same IP might indicate a higher risk of malicious probing or targeted attacks. Mitigation: Following actions can be taken to mitigate/troubleshoot this behavior: * Investigate the affected IP address and the specific types of "unknown" actions triggered. * Analyze Cloudflare WAF logs for patterns, anomalies, and potential attack signatures. * Consider temporarily blocking the offending IP if the activity seems malicious. * Update WAF rules or adjust configurations as needed to address potential vulnerabilities or misconfigurations. MITRE Tactic and Technique: T1190 (Exploit Public-Facing Application)