diff --git a/public/_redirects b/public/_redirects
index f7d12fde3948e1d..5a86f9a0a28f330 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -1341,6 +1341,9 @@
/waf/tools/scrape-shield/server-side-excludes/ /waf/tools/scrape-shield/ 301
/waf/rate-limiting-rules/create-account-dashboard/ /waf/account/rate-limiting-rulesets/create-dashboard/ 301
/waf/managed-rules/deploy-account-dashboard/ /waf/account/managed-rulesets/deploy-dashboard/ 301
+/waf/analytics/security-events/free-plan/ /waf/analytics/security-events/ 301
+/waf/analytics/security-events/paid-plans/ /waf/analytics/security-events/ 301
+/waf/analytics/security-events/additional-information/ /waf/tools/validation-checks/ 301
# waiting-room
/waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301
diff --git a/src/assets/images/waf/events-activity-log.png b/src/assets/images/waf/events-activity-log.png
deleted file mode 100644
index c4e1a39694aec01..000000000000000
Binary files a/src/assets/images/waf/events-activity-log.png and /dev/null differ
diff --git a/src/assets/images/waf/events-add-filter-free.png b/src/assets/images/waf/events-add-filter-free.png
deleted file mode 100644
index c65c83d09f2ad54..000000000000000
Binary files a/src/assets/images/waf/events-add-filter-free.png and /dev/null differ
diff --git a/src/assets/images/waf/events-add-filter.png b/src/assets/images/waf/events-add-filter.png
index 6c47951a2baf40d..9e5af6760d53cfa 100644
Binary files a/src/assets/images/waf/events-add-filter.png and b/src/assets/images/waf/events-add-filter.png differ
diff --git a/src/assets/images/waf/events-sampled-logs.png b/src/assets/images/waf/events-sampled-logs.png
new file mode 100644
index 000000000000000..8d7df7559a9a6fc
Binary files /dev/null and b/src/assets/images/waf/events-sampled-logs.png differ
diff --git a/src/content/docs/ddos-protection/reference/analytics.mdx b/src/content/docs/ddos-protection/reference/analytics.mdx
index efae78fccce355d..09fd5df48a9247c 100644
--- a/src/content/docs/ddos-protection/reference/analytics.mdx
+++ b/src/content/docs/ddos-protection/reference/analytics.mdx
@@ -6,26 +6,21 @@ sidebar:
head:
- tag: title
content: DDoS analytics
-
---
You can view DDoS analytics in different dashboards, depending on your service and plan:
-- The [Security Events dashboard](/waf/analytics/security-events/) provides you with visibility into L7 security events that target your zone, including HTTP DDoS attacks and TCP attacks. The dashboard displays mitigations of HTTP DDoS attacks as HTTP DDoS events. These events are also available via [Cloudflare Logs](/logs/).
+- The [Security Events dashboard](/waf/analytics/security-events/) provides you with visibility into L7 security events that target your zone, including HTTP DDoS attacks and TCP attacks. The dashboard displays mitigations of HTTP DDoS attacks as HTTP DDoS events. These events are also available via [Cloudflare Logs](/logs/).
- The [Network Analytics dashboard](/analytics/network-analytics/) provides you with visibility into L3/4 traffic and DDoS attacks that target your IP ranges or Spectrum applications.
## Availability
-
-
-| Service | Free | Pro | Business | Enterprise |
-| ------------- | ----------------- | --------------- | --------------- | ----------------- |
-| WAF/CDN | Activity log only | Security Events | Security Events | Security Events |
-| Spectrum/BYOIP | – | – | – | Network Analytics |
-| Magic Transit | – | – | – | Network Analytics |
-
-
+| Service | Free | Pro | Business | Enterprise |
+| -------------- | ----------------- | --------------- | --------------- | ----------------- |
+| WAF/CDN | Sampled logs only | Security Events | Security Events | Security Events |
+| Spectrum/BYOIP | – | – | – | Network Analytics |
+| Magic Transit | – | – | – | Network Analytics |
## Remarks
diff --git a/src/content/docs/fundamentals/reference/cloudflare-ray-id.mdx b/src/content/docs/fundamentals/reference/cloudflare-ray-id.mdx
index c513f61574d7f1d..f5ab9ada5b9d12a 100644
--- a/src/content/docs/fundamentals/reference/cloudflare-ray-id.mdx
+++ b/src/content/docs/fundamentals/reference/cloudflare-ray-id.mdx
@@ -8,7 +8,6 @@ A **Cloudflare Ray ID** is an identifier given to every request that goes throug
Ray IDs are particularly useful when evaluating Security Events for patterns or false positives or more generally understanding your application traffic.
:::caution
-
Ray IDs are not guaranteed to be unique for every request. In some situations, different requests may have the same Ray ID.
:::
@@ -16,13 +15,13 @@ Ray IDs are not guaranteed to be unique for every request. In some situations, d
### Security events
-All customers can view Ray IDs and associated information — IP address, user agent, ASN, etc. — by looking through the [Activity Log](/waf/analytics/security-events/) in Security Events.
+All customers can view Ray IDs and associated information — IP address, user agent, ASN, etc. — by looking through [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events.
-
+
-Additionally, you can [add filters](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data) to look for specific Ray IDs.
+Additionally, you can [add filters](/waf/analytics/security-events/#adjust-displayed-data) to look for specific Ray IDs.
-
+
Please note that Security Events may use sampled data to improve performance. If sampled data is applied to your search, you might not see all events, and filters might not return the expected results. To display more events, select a smaller timeframe.
diff --git a/src/content/docs/support/troubleshooting/http-status-codes/4xx-client-error.mdx b/src/content/docs/support/troubleshooting/http-status-codes/4xx-client-error.mdx
index dc3bcbaeda43a06..547686a3fa315a2 100644
--- a/src/content/docs/support/troubleshooting/http-status-codes/4xx-client-error.mdx
+++ b/src/content/docs/support/troubleshooting/http-status-codes/4xx-client-error.mdx
@@ -71,7 +71,7 @@ Cloudflare may serve `403` responses in the following scenarios:
- [DDoS Protection](/ddos-protection/), which is enabled by default on zones onboarded to Cloudflare, IP applications onboarded to Spectrum, and IP Prefixes onboarded to Magic Transit.
- Most [1xxx Cloudflare error codes](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
- The [Browser Integrity Check](/waf/tools/browser-integrity-check/).
- - [Validation Checks](/waf/analytics/security-events/additional-information/).
+ - [Validation Checks](/waf/tools/validation-checks/).
Cloudflare may also serve an unstyled `403` error page in specific cases. These errors are not logged because they occur early in Cloudflare's infrastructure, before domain configuration is loaded. An example is:
diff --git a/src/content/docs/waf/analytics/security-events.mdx b/src/content/docs/waf/analytics/security-events.mdx
new file mode 100644
index 000000000000000..6ab05308f69c89d
--- /dev/null
+++ b/src/content/docs/waf/analytics/security-events.mdx
@@ -0,0 +1,146 @@
+---
+title: Security Events
+pcx_content_type: concept
+sidebar:
+ order: 2
+---
+
+import { FeatureTable, GlossaryTooltip } from "~/components";
+
+Security Events allows you to review mitigated requests and helps you tailor your security configurations.
+
+The main elements of the dashboard are the following:
+
+- [Events summary](#events-summary): Provides the number of security events on traffic during the selected time period, grouped according to the selected dimension (for example, Action, Host, Country).
+- [Events by service](#events-by-service): Lists the security-related activity per security feature (for example, WAF, API Shield).
+- [Top events by source](#top-events-by-source): Provides details of the traffic flagged or actioned by a Cloudflare security feature (for example, IP addresses, User Agents, Paths, Countries, Hosts, ASNs).
+- [Sampled logs](#sampled-logs): Summarizes security events by date to show the action taken and the applied Cloudflare security product.
+
+Security Events displays information about requests actioned or flagged by Cloudflare security products, including features such as [Browser Integrity Check](/waf/tools/browser-integrity-check/). Each incoming HTTP request might generate one or more security events. The Security Events dashboard only shows these events, not the HTTP requests themselves.
+
+## Availability
+
+Available features vary according to your Cloudflare plan:
+
+
+
+## Location in the dashboard
+
+Security Events is available for your zone in **Security** > **Events**.
+
+Additionally, Enterprise customers have access to the account-level dashboard in Account Home > **Security Center** > **Security Events**.
+
+## Adjust displayed data
+
+You can apply multiple filters and exclusions to narrow the scope of Security Events and adjust the report duration. Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including **Sampled logs** and all graphs.
+
+
+
+### Add filters
+
+You can adjust the scope of analytics by manually entering filter conditions. Alternatively, select **Filter** or **Exclude** to filter by a field value. These buttons appear when you hover the analytics data legend.
+
+To manually add a filter:
+
+1. Select **Add filter**.
+2. Select a field, an operator, and a value. For example, to filter events by IP address, select _IP_ for **Action**, select _equals_ for the operator, and enter the IP address.
+3. Select **Apply**.
+
+Take the following into account when entering filter values:
+
+- Do not add quotes around values.
+- Do not enter the `AS` prefix when entering ASN numbers. For example, enter `1423` instead of `AS1423`.
+- Wildcards are not supported.
+
+### Adjust report duration
+
+To adjust report duration, select the desired duration from the dropdown in **Security Events**. The default value is `Previous 24 hours`.
+
+The available report duration values depend on your Cloudflare plan. Refer to [Availability](#availability) for details.
+
+## Create custom rule from current filters
+
+To create a [custom rule](/waf/custom-rules/create-dashboard/) based on your current filters and exclusions, select **Create custom rule** in **Security Events**.
+
+## Events summary
+
+The **Events summary** section provides the number of security events on traffic during the selected time period, grouped according to the selected dimension (for example, **Action**, **Host**, **Country**, or **ASN**).
+
+
+
+You can adjust the displayed data according to one of the values by selecting **Filter** or **Exclude** when hovering the legend.
+
+## Events by service
+
+The **Events by service** section lists the activity per Cloudflare security feature (for example, **Managed rules** or **API Shield**).
+
+You can adjust the scope of Security Events to one of the displayed services by selecting **Filter** or **Exclude** when hovering the legend or by selecting the corresponding graph bar.
+
+## Top events by source
+
+In **Top events by source** you can find details of the traffic flagged or actioned by a security feature — for example, **IP Addresses**, **User Agents**, **Paths**, and **Countries**.
+
+You can adjust the scope of Security Events to one of the listed source values by selecting **Filter** or **Exclude** when hovering the value.
+
+:::note
+A deleted custom/firewall rule or rate limiting rule will show as `Rule unavailable` under **Firewall rules** or **Rate limit rules**. To check the changes made within your Cloudflare account, review your [Audit logs](/fundamentals/setup/account/account-security/review-audit-logs/).
+:::
+
+## Sampled logs
+
+**Sampled logs** summarizes security events by date to show the action taken and the applied Cloudflare security feature.
+
+
+
+Security events are shown by individual event rather than by request. For example, if a single request triggers three different security features, the security events will show three individual events in **Sampled logs**.
+
+Expand each event to check its details, and define filters and exclusions based on the event's field values. Select the **Filter** or **Exclude** button when hovering a field to add the field value to the filters or exclusions list of the displayed analytics. To download the event data in JSON format, select **Export event JSON**.
+
+### Displayed columns
+
+To configure the columns displayed in **Sampled logs**, select **Edit columns**. This gives you flexibility depending on the type of analysis that you need to perform.
+
+For example, if you are diagnosing a bot-related issue, you may want to display the **User agent** and the **Country** columns. On the other hand, if you are trying to identify a DDoS attack, you may want to display the **IP address**, **ASN**, and **Path** columns.
+
+### Event actions
+
+For details on most actions that appear in **Sampled logs**, refer to [Actions](/ruleset-engine/rules-language/actions/).
+
+Besides the actions you can select when configuring rules in Cloudflare security products, you may also find events with the following associated actions:
+
+- _Connection Close_
+- _Force Connection Close_
+
+For details on these actions, refer to [HTTP DDoS Attack Protection parameters](/ddos-protection/managed-rulesets/http/override-parameters/#action).
+
+The [_Managed Challenge (Recommended)_](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) action that may appear in **Sampled logs** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated).
+
+### Export event log data
+
+You can export a set of up to 500 raw events from **Sampled logs** in JSON format. Export event data to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a SIEM system. The data you export will reflect any filters you have applied.
+
+To export the displayed events (up to 500), select **Export** in **Sampled logs**.
+
+## Share Security Events filters
+
+When you add a filter and specify a report duration (time window) in Security Events, the Cloudflare dashboard URL changes to reflect the parameters you configured. You can share that URL with other users so that they can analyze the same information that you see.
+
+For example, after adding a filter for `Action equals Managed Challenge` and setting the report duration to 72 hours, the URL should look like the following:
+
+`https://dash.cloudflare.com/{account_id}/example.net/security/events?action=managed_challenge&time-window=4320`
+
+## Print or download PDF report
+
+To print or download a snapshot report from your security events dashboard, select **Print report** in **Security Events**. Your web browser's printing interface will present you with options for printing or downloading the PDF report.
+
+The generated report will reflect all applied filters.
+
+## Known limitations
+
+Security Events currently has these limitations:
+
+- Security Events may use sampled data to improve performance. If your search uses sampled data, Security Events might not display all events and filters might not return the expected results. To display more events, select a smaller time frame.
+
+- The Cloudflare dashboard may show an inaccurate number of events per page. Data queries are highly optimized, but this means that pagination may not always work because the source data may have been sampled. The GraphQL Analytics API does not have this pagination issue.
+
+- Triggered OWASP rules appear in the Security Events page under **Additional logs**, but they are not included in exported JSON files.
diff --git a/src/content/docs/waf/analytics/security-events/free-plan.mdx b/src/content/docs/waf/analytics/security-events/free-plan.mdx
deleted file mode 100644
index a40a6b21357916a..000000000000000
--- a/src/content/docs/waf/analytics/security-events/free-plan.mdx
+++ /dev/null
@@ -1,34 +0,0 @@
----
-pcx_content_type: reference
-title: Free plan
-sidebar:
- order: 2
-head:
- - tag: title
- content: Security Events — Free plan
-
----
-
-import { Render } from "~/components"
-
-Security Events is available for your zone in **Security** > **Events**.
-
-## Adjusting displayed data
-
-You can apply multiple filters and exclusions to narrow the scope of Security Events and adjust the report duration. Modifying the duration, filters, or exclusions affects the analytics data displayed in the **Activity Log**.
-
-
-
-
-
-## Create custom rule from current filters
-
-
-
-## Activity log
-
-
-
-## Share Security Events filters
-
-
diff --git a/src/content/docs/waf/analytics/security-events/index.mdx b/src/content/docs/waf/analytics/security-events/index.mdx
deleted file mode 100644
index befe07549fa5255..000000000000000
--- a/src/content/docs/waf/analytics/security-events/index.mdx
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Security Events
-pcx_content_type: concept
-sidebar:
- order: 2
-
----
-
-import { FeatureTable, GlossaryTooltip } from "~/components"
-
-Security Events allows you to review mitigated requests and helps you tailor your security configurations.
-
-Users on a Free plan can view summarized security events by date in the **Activity log**. Customers on paid plans have access to additional graphs and dashboards that summarize the most relevant information about the current behavior of Cloudflare's security features on your zone.
-
-## Main features
-
-* **Events summary**: Provides the number of security events on traffic during the selected time period, grouped according to the selected dimension (for example, Action, Host, Country).
-* **Events by service**: Lists the security-related activity per security feature (for example, WAF, API Shield).
-* **Top events by source**: Provides details of the traffic flagged or actioned by a Cloudflare security feature (for example, IP addresses, User Agents, Paths, Countries, Hosts, ASNs).
-* **Activity log**: Summarizes security events by date to show the action taken and the applied Cloudflare security product.
-
-Security Events displays information about requests actioned or flagged by Cloudflare security products, including features such as [Browser Integrity Check](/waf/tools/browser-integrity-check/). Each incoming HTTP request might generate one or more security events. The Security Events dashboard only shows these events, not the HTTP requests themselves.
-
-## Availability
-
-The available features vary according to your Cloudflare plan:
-
-
-
-## Known limitations
-
-Security Events currently has these limitations:
-
-* Security Events may use sampled data to improve performance. If your search uses sampled data, Security Events might not display all events and filters might not return the expected results. To display more events, select a smaller time frame.
-
-* The Cloudflare dashboard may show an inaccurate number of events per page. Data queries are highly optimized, but this means that pagination may not always work because the source data may have been sampled. The GraphQL Analytics API does not have this pagination issue.
-
-* Triggered OWASP rules appear in the Security Events page under **Additional logs**, but they are not included in exported JSON files.
diff --git a/src/content/docs/waf/analytics/security-events/paid-plans.mdx b/src/content/docs/waf/analytics/security-events/paid-plans.mdx
deleted file mode 100644
index f4678a7a1e95faf..000000000000000
--- a/src/content/docs/waf/analytics/security-events/paid-plans.mdx
+++ /dev/null
@@ -1,72 +0,0 @@
----
-pcx_content_type: reference
-title: Paid plans
-sidebar:
- order: 3
-head:
- - tag: title
- content: Security Events — Paid plans
-
----
-
-import { Render } from "~/components"
-
-Security Events is available for your zone in **Security** > **Events**.
-
-Additionally, Enterprise customers have access to the account-level dashboard in Account Home > **Security Center** > **Security Events**.
-
-## Adjusting displayed data
-
-You can apply multiple filters and exclusions to narrow the scope of Security Events and adjust the report duration. Modifying the duration, filters, or exclusions affects the analytics data displayed on the entire page including the **Activity Log** and all graphs.
-
-
-
-
-
-## Create custom rule from current filters
-
-
-
-## Events summary
-
-The **Events summary** section provides the number of security events on traffic during the selected time period, grouped according to the selected dimension (for example, **Action**, **Host**, **Country**, or **ASN**).
-
-
-
-You can adjust the displayed data according to one of the values by selecting **Filter** or **Exclude** when hovering the legend.
-
-## Events by service
-
-The **Events by service** section lists the activity per Cloudflare security feature (for example, **Managed rules** or **API Shield**).
-
-You can adjust the scope of Security Events to one of the displayed services by selecting **Filter** or **Exclude** when hovering the legend or by selecting the corresponding graph bar.
-
-## Top events by source
-
-In **Top events by source** you can find details of the traffic flagged or actioned by a security feature — for example, **IP Addresses**, **User Agents**, **Paths**, and **Countries**.
-
-You can adjust the scope of Security Events to one of the listed source values by selecting **Filter** or **Exclude** when hovering the value.
-
-:::note
-
-
-A deleted custom/firewall rule or rate limiting rule will show as `Rule unavailable` under **Firewall rules** or **Rate limit rules**. To check the changes made within your Cloudflare account, review your [Audit logs](/fundamentals/setup/account/account-security/review-audit-logs/).
-
-
-:::
-
-## Activity log
-
-
-
-
-
-## Share Security Events filters
-
-
-
-## Print or download PDF report
-
-To print or download a snapshot report from your security events dashboard, select **Print report** in **Security Events**. Your web browser's printing interface will present you with options for printing or downloading the PDF report.
-
-The generated report will reflect all applied filters.
diff --git a/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx b/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
index 198b511a9be7ac5..44c76ecabe8e7b3 100644
--- a/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/configure-token-authentication.mdx
@@ -175,7 +175,7 @@ The authentication token parameter (`verify=` in the example) must be the
If you are on an Enterprise plan, you can test if URLs are being generated correctly on the origin server by doing the following:
1. Set the WAF custom rule action to _Log_.
-2. Check the activity log in **Security** > **Events**.
+2. Check the sampled logs in **Security** > **Events**.
---
diff --git a/src/content/docs/waf/index.mdx b/src/content/docs/waf/index.mdx
index 1eca6a8ccc2ebc9..8d38525a50008a5 100644
--- a/src/content/docs/waf/index.mdx
+++ b/src/content/docs/waf/index.mdx
@@ -63,7 +63,7 @@ Learn how to [get started](/waf/get-started/).
cta="Explore Security Events"
>
Review mitigated requests (rule matches) using an intuitive interface. Tailor
- your security configurations based on the activity log.
+ your security configurations based on sampled logs.
**Events** tab), filtering by a specific Rule ID. For more information on filtering security events, refer to [Adjusting displayed data](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data).
+Check for exposed credentials events in the Security Events dashboard, filtering by a specific rule ID. For more information on filtering events, refer to [Adjust displayed data](/waf/analytics/security-events/#adjust-displayed-data).
diff --git a/src/content/docs/waf/managed-rules/payload-logging/view.mdx b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
index 80c43d91fcad6a9..b28bf9b91325b47 100644
--- a/src/content/docs/waf/managed-rules/payload-logging/view.mdx
+++ b/src/content/docs/waf/managed-rules/payload-logging/view.mdx
@@ -9,7 +9,7 @@ View the content of the matched rule payload in the dashboard by entering your p
1. Open **Security** > **Events**.
-2. Under **Activity log**, expand the details of an event triggered by a rule whose managed ruleset has payload logging enabled.
+2. Under **Sampled logs**, expand the details of an event triggered by a rule whose managed ruleset has payload logging enabled.
3. Under **Payload match**, select **Decrypt payload log**.
diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
index 8f88aaf927a201d..ce820e6a9a56436 100644
--- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
+++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx
@@ -26,7 +26,7 @@ Additionally, this managed ruleset also includes generic rules for other common
- Check credentials sent as JSON with `email` and `password` keys
- Check credentials sent as JSON with `username` and `password` keys
-The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API and in [Security Events](/waf/analytics/security-events/paid-plans/#activity-log)).
+The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API and in [Security Events](/waf/analytics/security-events/#sampled-logs)).
The managed ruleset also contains a rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials.
diff --git a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
index da87c0ada2af06d..1cba1239340438a 100644
--- a/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
+++ b/src/content/docs/waf/managed-rules/reference/owasp-core-ruleset/example.mdx
@@ -34,8 +34,8 @@ Final request threat score: `26`
Since `26` >= `25` — that is, the threat score is greater than the configured score threshold — the WAF will apply the configured action (_Managed Challenge_). If you had configured a score threshold of _Medium - 40 and higher_, the WAF would not apply the action, since the request threat score would be lower than the score threshold (`26` < `40`).
-The [**Activity log** in Security Events](/waf/analytics/security-events/paid-plans/#activity-log) would display the following details for the example incoming request handled by the OWASP Core Ruleset:
+[**Sampled logs** in Security Events](/waf/analytics/security-events/#sampled-logs) would display the following details for the example incoming request handled by the OWASP Core Ruleset:
-In the activity log, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: `949110: Inbound Anomaly Score Exceeded`, with rule ID . To get the scores of individual rules contributing to the final request threat score, expand **Additional logs** in the event details.
+In sampled logs, the rule associated with requests mitigated by the Cloudflare OWASP Core Ruleset is the last rule in this managed ruleset: `949110: Inbound Anomaly Score Exceeded`, with rule ID . To get the scores of individual rules contributing to the final request threat score, expand **Additional logs** in the event details.
diff --git a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
index f2dba1cb5855d07..bc87860df9aab13 100644
--- a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
+++ b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/index.mdx
@@ -14,10 +14,10 @@ Managed rules, a feature of Cloudflare WAF (Web Application Firewall), identifie
* This page contains documentation about the previous implementation of WAF Managed Rules. For more information on the new version, refer to [WAF Managed Rules](/waf/managed-rules/).
* All customers with access to the previous version of WAF managed rules can [migrate to the new version](/waf/reference/migration-guides/waf-managed-rules-migration/).
-* The new WAF Managed Rules provide the [Cloudflare Free Managed Ruleset](/waf/managed-rules/) to all customers, including customers on a Free plan. Refer to the [announcement blog post](https://blog.cloudflare.com/waf-for-everyone/) for details.
+* The new WAF Managed Rules provide the [Cloudflare Free Managed Ruleset](/waf/managed-rules/) to all customers, including customers on a Free plan. Refer to the [announcement blog post](https://blog.cloudflare.com/waf-for-everyone/) for details.
:::
-Examples of [malicious content](https://www.cloudflare.com/learning/security/what-is-web-application-security/) that managed rules identify include:
+Examples of [malicious content](https://www.cloudflare.com/learning/security/what-is-web-application-security/) that managed rules identify include:
* Common keywords used in comment spam (`XX`, `Rolex`, `Viagra`, etc.)
* Cross-site scripting attacks (XSS)
@@ -25,13 +25,13 @@ Examples of [malicious content](https://www.cloudflare.com/learning/security/wha
WAF managed rules (previous version) are available to Pro, Business, and Enterprise plans for any [subdomains proxied to Cloudflare](/dns/proxy-status/). Control managed rules settings in **Security** > **WAF** > **Managed rules**.
-Managed rules includes three packages:
+Managed rules includes three packages:
-* [Cloudflare Managed Ruleset ](#cloudflare-managed-ruleset)
+* [Cloudflare Managed Ruleset](#cloudflare-managed-ruleset)
* [OWASP ModSecurity Core Rule Set](#owasp-modsecurity-core-rule-set)
-* Customer requested rules
+* Customer requested rules
-You can use the activity log in the [Security Events](/waf/analytics/security-events/) dashboard, available at **Security** > **Events**, to review threats blocked by WAF managed rules.
+You can use the sampled logs in the [Security Events](/waf/analytics/security-events/) dashboard, available at **Security** > **Events**, to review threats blocked by WAF managed rules.
***
@@ -39,20 +39,20 @@ You can use the activity log in the [Security Events](/waf/analytics/security-ev
The Cloudflare Managed Ruleset contains security rules written and curated by Cloudflare. Select a ruleset name under **Group** to reveal the rule descriptions.
-**Cloudflare Specials** is a group that provides core firewall security against [common attacks](https://www.cloudflare.com/learning/security/what-is-web-application-security/).
+**Cloudflare Specials** is a group that provides core firewall security against [common attacks](https://www.cloudflare.com/learning/security/what-is-web-application-security/).
:::note
-Cloudflare recommends that you always leave **Cloudflare Specials** enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the **Cloudflare WordPress** group.
+Cloudflare recommends that you always leave **Cloudflare Specials** enabled. Additionally, only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the **Cloudflare WordPress** group.
:::
When viewing a ruleset, Cloudflare shows default actions for each rule listed under **Default mode**. The **Mode** available for individual rules within a specific **Cloudflare Managed Ruleset** are:
* **Default**: Takes the default action listed under **Default mode** when viewing a specific rule.
* **Disable**: Turns off the specific rule within the group.
-* **Block**: Discards the request.
+* **Block**: Discards the request.
* **Interactive Challenge**: The visitor receives a challenge page that requires interaction.
-* **Simulate**: The request is allowed through but is logged in the [**Activity log**](/waf/analytics/security-events/paid-plans/#activity-log).
+* **Simulate**: The request is allowed through but is logged in [sampled logs](/waf/analytics/security-events/#sampled-logs).
Cloudflare’s [WAF changelog](/waf/change-log/) allows customers to monitor ongoing changes to the Cloudflare Managed Ruleset.
@@ -66,7 +66,7 @@ After OWASP evaluates a request, Cloudflare compares the final score to the **Se
* **Block**: The request is discarded.
* **Challenge**: The visitor receives an interactive challenge page.
-* **Simulate**: The request is allowed through but is logged in the [**Activity log**](/waf/analytics/security-events/paid-plans/#activity-log).
+* **Simulate**: The request is allowed through but is logged in [sampled logs](/waf/analytics/security-events/#sampled-logs).
The sensitivity score required to trigger the WAF for a specific **Sensitivity** is as follows:
@@ -80,18 +80,18 @@ For AJAX requests, the following scores are applied instead:
* **Medium**: 80 and higher
* **High**: 65 and higher
-Review the [Activity log](/waf/analytics/security-events/paid-plans/#activity-log) for the final score and for the individual triggered rules.
+Review the entry in [sampled logs](/waf/analytics/security-events/#sampled-logs) for the final score and for the individual triggered rules.
### Control the OWASP package
-The OWASP ModSecurity Core Rule Set package contains several rules from the [OWASP project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project). Cloudflare does not write or curate OWASP rules. Unlike the Cloudflare Managed Ruleset, specific OWASP rules are either turned *On* or *Off.*
+The OWASP ModSecurity Core Rule Set package contains several rules from the [OWASP project](https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project). Cloudflare does not write or curate OWASP rules. Unlike the Cloudflare Managed Ruleset, specific OWASP rules are either turned *On* or *Off.*
To manage OWASP thresholds, set the **Sensitivity** to *Low*, *Medium*, or *High* under **Package: OWASP ModSecurity Core Rule Set**.
-Setting the **Sensitivity** to *Off* will disable the entire OWASP package including all its rules. Determining the appropriate **Sensitivity** depends on your business industry and operations. For instance, a *Low* setting is appropriate for:
+Setting the **Sensitivity** to *Off* will disable the entire OWASP package including all its rules. Determining the appropriate **Sensitivity** depends on your business industry and operations. For instance, a *Low* setting is appropriate for:
* Certain business industries more likely to trigger the WAF.
-* Large file uploads.
+* Large file uploads.
With a high sensitivity, large file uploads will trigger the WAF.
@@ -99,19 +99,18 @@ Cloudflare recommends initially setting the sensitivity to *Low* and reviewing f
:::note
-The Activity log displays rule ID `981176` when a request is blocked by OWASP. Also, some OWASP rules listed in the
-Activity log do not appear in the OWASP list of rules because disabling those rules is not recommended.
+Sampled logs displays rule ID `981176` when a request is blocked by OWASP. Also, some OWASP rules listed in Sampled logs do not appear in the OWASP list of rules because disabling those rules is not recommended.
:::
***
## Important remarks
-* Managed rules introduce a limited amount of latency.
+* Managed rules introduce a limited amount of latency.
* Changes to WAF managed rules take about 30 seconds to update globally.
-* Cloudflare uses proprietary rules to filter traffic.
+* Cloudflare uses proprietary rules to filter traffic.
* Established Websockets do not trigger managed rules for subsequent requests.
diff --git a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/troubleshooting.mdx b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/troubleshooting.mdx
index d38ab7289c3bdb8..c2215a6bcf3f5ea 100644
--- a/src/content/docs/waf/reference/legacy/old-waf-managed-rules/troubleshooting.mdx
+++ b/src/content/docs/waf/reference/legacy/old-waf-managed-rules/troubleshooting.mdx
@@ -7,7 +7,6 @@ sidebar:
head:
- tag: title
content: Troubleshoot WAF managed rules (previous version)
-
---
By default, WAF managed rules are fully managed via the Cloudflare dashboard and are compatible with most websites and web applications. However, false positives and false negatives may occur:
@@ -19,11 +18,11 @@ By default, WAF managed rules are fully managed via the Cloudflare dashboard and
The definition of suspicious content is subjective for each website. For example, PHP code posted to your website is normally suspicious. However, your website may be teaching how to code and it may require PHP code submissions from visitors. In this situation, you should disable related managed rules for this website, since they would interfere with normal website operation.
-To test for false positives, set WAF managed rules to *Simulate* mode. This mode allows you to record the response to possible attacks without challenging or blocking incoming requests. Also, use the Firewall Analytics [**Activity log**](/waf/analytics/security-events/paid-plans/#activity-log) to determine which managed rules caused false positives.
+To test for false positives, set WAF managed rules to *Simulate* mode. This mode allows you to record the response to possible attacks without challenging or blocking incoming requests. Also, review the Security Events' [sampled logs](/waf/analytics/security-events/#sampled-logs) to determine which managed rules caused false positives.
If you find a false positive, there are several potential resolutions:
-* **Add the client’s IP addresses to the [IP Access Rules](/waf/tools/ip-access-rules/) allowlist:** If the browser or client visits from the same IP addresses, allowing is recommended.
+* **Add the client’s IP addresses to the [IP Access Rules](/waf/tools/ip-access-rules/) allowlist:** If the browser or client visits from the same IP addresses, allowing is recommended.
* **Disable the corresponding managed rule(s)**: Stops blocking or challenging false positives, but reduces overall site security. A request blocked by Rule ID `981176` refers to OWASP rules. Decrease OWASP sensitivity to resolve the issue.
* **Bypass WAF managed rules with a firewall rule (deprecated):** [Create a firewall rule](/firewall/cf-dashboard/create-edit-delete-rules/#create-a-firewall-rule) with the *Bypass* action to deactivate WAF managed rules for a specific combination of parameters. For example, [bypass managed rules](/firewall/cf-firewall-rules/actions/) for a specific URL and a specific IP address or user agent.
* **(Not recommended) Disable WAF managed rules for traffic to a URL:** Lowers security on the particular URL endpoint. Configured via [Page Rules](/rules/page-rules/).
@@ -43,12 +42,12 @@ To identify false negatives, review the HTTP logs on your origin web server. To
* Not all managed rules are enabled by default, so review individual managed rule default actions.
- * For example, Cloudflare allows requests with empty user agents by default. To block requests with an empty user agent, change the rule **Mode** to *Block*.
+ * For example, Cloudflare allows requests with empty user agents by default. To block requests with an empty user agent, change the rule **Mode** to *Block*.
* Another example: if you are looking to block unmitigated SQL injection attacks, make sure the relevant SQLi rules are enabled and set to *Block* under the **Cloudflare Specials** group.
* Are DNS records that serve HTTP traffic proxied through Cloudflare?
-* Is a firewall rule [bypassing](/firewall/cf-firewall-rules/actions/#supported-actions) managed rules?
+* Is a firewall rule [bypassing](/firewall/cf-firewall-rules/actions/#supported-actions) managed rules?
* Does an allowed country, ASN, IP range, or IP address in [IP Access rules](/waf/tools/ip-access-rules/) or [firewall rules](/firewall/cf-firewall-rules/) match the attack traffic?
diff --git a/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx b/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx
index 3048c676166397e..51225a0700d593c 100644
--- a/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx
+++ b/src/content/docs/waf/reference/migration-guides/waf-managed-rules-migration.mdx
@@ -308,7 +308,7 @@ The returned configuration in the example above, which would match the existing
}'
```
- After invoking this API endpoint, both WAF managed rules and WAF Managed Rules will be enabled. Check the [Activity log](/waf/analytics/security-events/paid-plans/#activity-log) in Security Events for any legitimate traffic getting blocked, and perform any required adjustments to the WAF Managed Rules configuration. For example, you can [add an override](/ruleset-engine/managed-rulesets/override-managed-ruleset/) for a single rule that disables it or changes its action.
+ After invoking this API endpoint, both WAF managed rules and WAF Managed Rules will be enabled. Check [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events for any legitimate traffic getting blocked, and perform any required adjustments to the WAF Managed Rules configuration. For example, you can [add an override](/ruleset-engine/managed-rulesets/override-managed-ruleset/) for a single rule that disables it or changes its action.
4. To finish the migration and disable WAF managed rules, set the configuration for the new WAF using the settings you obtained in step 2 and possibly adjusted in step 3. Make sure you include the `waf_migration=pending&phase_two=1` query string parameters.
@@ -359,7 +359,7 @@ Pro and Business customers, which do not have access to the validation mode desc
If you are an Enterprise customer, use the **validation mode** of the WAF migration process to check the behavior of the new WAF Managed Rules configuration. Cloudflare enables validation mode after you deploy the new WAF configuration. In this mode, the previous WAF version is still enabled, so that you can validate the behavior of your new configuration during the migration process. The new WAF Managed Rules will run before the previous version.
-Go to the [Activity log](/waf/analytics/security-events/paid-plans/#activity-log) in Security Events during validation mode and check the following:
+Go to [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events during validation mode and check the following:
- Look for any requests allowed by the new WAF that are being handled by the previous WAF version (for example, by a challenge or block action). If this happens, consider writing a [firewall rule](/firewall/cf-dashboard/create-edit-delete-rules/#create-a-firewall-rule) or a [WAF custom rule](/waf/custom-rules/create-dashboard/) to handle the requests you previously identified.
@@ -369,7 +369,7 @@ Go to the [Activity log](/waf/analytics/security-events/paid-plans/#activity-log
Business and Professional customers do not have access to validation mode, which means that they will be able to check the new WAF behavior after they migrate to the new WAF Managed Rules.
-In the days following the migration, check the [Activity log](/waf/analytics/security-events/paid-plans/#activity-log) in Security Events looking for any legitimate requests being blocked by WAF Managed Rules. If you identify any incorrectly blocked requests, adjust the corresponding WAF rule action to Log. For more information on changing the action of a managed ruleset rule, refer to [Configure a single rule in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-single-rule-in-a-managed-ruleset).
+In the days following the migration, check [sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events looking for any legitimate requests being blocked by WAF Managed Rules. If you identify any incorrectly blocked requests, adjust the corresponding WAF rule action to Log. For more information on changing the action of a managed ruleset rule, refer to [Configure a single rule in a managed ruleset](/waf/managed-rules/deploy-zone-dashboard/#configure-a-single-rule-in-a-managed-ruleset).
Additionally, check for requests that should have been blocked. In this situation, consider creating a [firewall rule](/firewall/cf-dashboard/create-edit-delete-rules/#create-a-firewall-rule) or a [WAF custom rule](/waf/custom-rules/create-dashboard/) to block these requests.
diff --git a/src/content/docs/waf/analytics/security-events/additional-information.mdx b/src/content/docs/waf/tools/validation-checks.mdx
similarity index 72%
rename from src/content/docs/waf/analytics/security-events/additional-information.mdx
rename to src/content/docs/waf/tools/validation-checks.mdx
index 1a3000e42688345..cd23ad31c9ce23f 100644
--- a/src/content/docs/waf/analytics/security-events/additional-information.mdx
+++ b/src/content/docs/waf/tools/validation-checks.mdx
@@ -1,19 +1,23 @@
---
pcx_content_type: reference
-title: Additional information
-sidebar:
- order: 11
+title: Validation checks
---
import { GlossaryTooltip } from "~/components";
-## Validation checks
+Cloudflare performs a validation check for every request. The Validation component executes prior to all other WAF features like custom rules or WAF Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs.
-Cloudflare performs a validation check for every request. The Validation component executes prior to all other WAF features like custom rules or WAF Managed Rules. The validation check blocks malformed requests like Shellshock attacks and requests with certain attack patterns in their HTTP headers before any allowlist logic occurs. Actions performed by the Validation component appear in the **Activity log** associated with the `Validation` service and without a rule ID. Security events downloaded from the API show source as `Validation` and action as `drop` when this behavior occurs.
+:::note
+Currently, you cannot disable validation checks. They run early in Cloudflare's infrastructure before the configuration for domains has been loaded.
+:::
+
+## Event logs for validation checks
+
+Actions performed by the Validation component appear in [Sampled logs](/waf/analytics/security-events/#sampled-logs) in Security Events, associated with the `Validation` service and without a rule ID. Event logs downloaded from the API show source as `Validation` and action as `drop` when this behavior occurs.
The following example shows a request blocked by the Validation component due to a malformed `User-Agent` HTTP request header:
-
+
In the downloaded JSON file for the event, the `ruleId` value indicates the detected issue — in this case, it was a Shellshock attack.
@@ -26,7 +30,3 @@ In the downloaded JSON file for the event, the `ruleId` value indicates the dete
//...
}
```
-
-:::note
-Currently, you cannot disable validation checks. They run early in Cloudflare's infrastructure before the configuration for domains has been loaded.
-:::
diff --git a/src/content/docs/waf/troubleshooting/faq.mdx b/src/content/docs/waf/troubleshooting/faq.mdx
index 7d29eaa3641d0ed..4435c0cad208ff1 100644
--- a/src/content/docs/waf/troubleshooting/faq.mdx
+++ b/src/content/docs/waf/troubleshooting/faq.mdx
@@ -11,7 +11,7 @@ sidebar:
This happens when a request goes through a Cloudflare Worker.
-In this case, Cloudflare considers the client details, including its IP address, for triggering security settings. However, the IP displayed in [Security Events](/waf/analytics/security-events/paid-plans/) will be a Cloudflare IP address.
+In this case, Cloudflare considers the client details, including its IP address, for triggering security settings. However, the IP displayed in [Security Events](/waf/analytics/security-events/) will be a Cloudflare IP address.
### Do I need to escape certain characters in expressions?
@@ -46,7 +46,7 @@ Cloudflare may block an IP address due to various reasons:
If your IP address is blocked, try the following:
-- **Check Cloudflare Security Events**: Use the [Security Events](/waf/analytics/security-events/paid-plans/) log to check for specific reasons your IP might be getting blocked. Look for details on the type of threat or activity that triggered the block.
+- **Check Cloudflare Security Events**: Use the [Security Events](/waf/analytics/security-events/) log to check for specific reasons your IP might be getting blocked. Look for details on the type of threat or activity that triggered the block.
- **Contact the website owner**: If you are a legitimate user and your IP is wrongly blocked, contact the website owner or administrator. They may be able to allowlist your IP or investigate the issue further.
diff --git a/src/content/docs/workers/platform/limits.mdx b/src/content/docs/workers/platform/limits.mdx
index eb0c293980e5d13..90997a39b01638f 100644
--- a/src/content/docs/workers/platform/limits.mdx
+++ b/src/content/docs/workers/platform/limits.mdx
@@ -131,7 +131,7 @@ Accounts using the Workers Free plan are subject to a burst rate limit of 1,000
Workers being rate-limited by Anti-Abuse Protection are also visible from the Cloudflare dashboard:
1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and select your account and your website.
-2. Select **Security** > **Events** > scroll to **Activity log**.
+2. Select **Security** > **Events** > scroll to **Sampled logs**.
3. Review the log for a Web Application Firewall block event with a `ruleID` of `worker`.
### Daily request
diff --git a/src/content/notifications/index.yaml b/src/content/notifications/index.yaml
index d49cd52d731defb..005b86b1bad23a5 100644
--- a/src/content/notifications/index.yaml
+++ b/src/content/notifications/index.yaml
@@ -39,7 +39,7 @@ entries:
associatedProducts: Security Center
nextSteps: Review the domains and URLs that are potentially impersonating your brand.
otherFilters: You can select the query that you want to be alerted on.
-
+
- name: Security Insights
audience: Customers who want to receive notifications based on security insights findings.
availability: All Cloudflare plans.
@@ -548,10 +548,10 @@ entries:
- **Test name**: Choose which DEX test the alert should monitor. You will receive individual notifications for each test.
- name: Advanced Security Events Alert
- audience: Enterprise customers who want to receive alerts about spikes in specific services that generate log entries in [Security Events](/waf/analytics/security-events/paid-plans/). For more information, refer to [WAF alerts](/waf/reference/alerts/).
+ audience: Enterprise customers who want to receive alerts about spikes in specific services that generate log entries in [Security Events](/waf/analytics/security-events/). For more information, refer to [WAF alerts](/waf/reference/alerts/).
availability: Enterprise plans.
associatedProducts: Web Application Firewall (WAF)
- nextSteps: Review the information in [Security Events](/waf/analytics/security-events/paid-plans/) to identify any possible attack or misconfiguration.
+ nextSteps: Review the information in [Security Events](/waf/analytics/security-events/) to identify any possible attack or misconfiguration.
otherFilters: |-
A mandatory [`filters`](/api/resources/alerting/subresources/policies/methods/create/) selection is needed when you create a notification policy which includes the list of services and zones that you want to be alerted on.
@@ -568,10 +568,10 @@ entries:
These thresholds cannot be configured. Z-score is used to determine the threshold.
- name: Security Events Alert
- audience: Business and Enterprise customers who want to receive alerts about spikes across all services that generate log entries in [Security Events](/waf/analytics/security-events/paid-plans/). For more information, refer to [WAF alerts](/waf/reference/alerts/).
+ audience: Business and Enterprise customers who want to receive alerts about spikes across all services that generate log entries in [Security Events](/waf/analytics/security-events/). For more information, refer to [WAF alerts](/waf/reference/alerts/).
availability: Business and Enterprise plans.
associatedProducts: Web Application Firewall (WAF)
- nextSteps: Review the information in [Security Events](/waf/analytics/security-events/paid-plans/) to identify any possible attack or misconfiguration.
+ nextSteps: Review the information in [Security Events](/waf/analytics/security-events/) to identify any possible attack or misconfiguration.
otherFilters: |-
A mandatory [`filters`](/api/resources/alerting/subresources/policies/methods/create/) selection is needed when you create a notification policy which includes the list of zones that you want to be alerted on.
diff --git a/src/content/partials/waf/analytics-activity-log.mdx b/src/content/partials/waf/analytics-activity-log.mdx
deleted file mode 100644
index 7effba2d87e4266..000000000000000
--- a/src/content/partials/waf/analytics-activity-log.mdx
+++ /dev/null
@@ -1,31 +0,0 @@
----
-{}
-
----
-
-The **Activity log** summarizes security events by date to show the action taken and the applied Cloudflare security feature.
-
-
-
-Security events are shown by individual event rather than by request. For example, if a single request triggers three different security features, the security events will show three individual events in the **Activity log**.
-
-Expand each event to check its details, and define filters and exclusions based on the event's field values. Select the **Filter** or **Exclude** button when hovering a field to add the field value to the filters or exclusions list of the displayed analytics. To download the event data in JSON format, select **Export event JSON**.
-
-### Displayed columns
-
-To configure the columns displayed in the **Activity log**, select **Edit columns**. This gives you flexibility depending on the type of analysis that you need to perform.
-
-For example, if you are diagnosing a bot-related issue, you may want to display the **User agent** and the **Country** columns. On the other hand, if you are trying to identify a DDoS attack, you may want to display the **IP address**, **ASN**, and **Path** columns.
-
-### Event actions
-
-For details on most actions that appear in the **Activity Log**, refer to [Actions](/ruleset-engine/rules-language/actions/).
-
-Besides the actions you can select when configuring rules in Cloudflare security products, you may also find events with the following associated actions:
-
-* *Connection Close*
-* *Force Connection Close*
-
-For details on these actions, refer to [HTTP DDoS Attack Protection parameters](/ddos-protection/managed-rulesets/http/override-parameters/#action).
-
-The [*Managed Challenge (Recommended)*](/waf/reference/cloudflare-challenges/#managed-challenge-recommended) action that may appear in the **Activity Log** is available in the following security features and products: WAF custom rules, rate limiting rules, Bot Fight Mode, IP Access rules, User Agent Blocking rules, and firewall rules (deprecated).
diff --git a/src/content/partials/waf/analytics-create-firewall-rule.mdx b/src/content/partials/waf/analytics-create-firewall-rule.mdx
deleted file mode 100644
index 4025e9711fd4a00..000000000000000
--- a/src/content/partials/waf/analytics-create-firewall-rule.mdx
+++ /dev/null
@@ -1,6 +0,0 @@
----
-{}
-
----
-
-To create a [custom rule](/waf/custom-rules/create-dashboard/) based on your current filters and exclusions, select **Create custom rule** in **Security Events**.
diff --git a/src/content/partials/waf/analytics-export-data.mdx b/src/content/partials/waf/analytics-export-data.mdx
deleted file mode 100644
index 27d7d523961125d..000000000000000
--- a/src/content/partials/waf/analytics-export-data.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
----
-{}
-
----
-
-import { GlossaryTooltip } from "~/components"
-
-### Export activity log data
-
-:::note
-
-
-Only available on Business and Enterprise plans.
-
-
-:::
-
-You can export a set of up to 500 raw events from the **Activity log** in JSON format. Export event data to combine and analyze Cloudflare data with your own stored in a separate system or database, such as a SIEM system. The data you export will reflect any filters you have applied.
-
-To export the displayed events (up to 500), select **Export** in the **Activity log**.
diff --git a/src/content/partials/waf/analytics-filter-report-duration.mdx b/src/content/partials/waf/analytics-filter-report-duration.mdx
deleted file mode 100644
index 2f86d9fbdb8c91c..000000000000000
--- a/src/content/partials/waf/analytics-filter-report-duration.mdx
+++ /dev/null
@@ -1,26 +0,0 @@
----
-{}
-
----
-
-### Add filters
-
-You can adjust the scope of analytics by manually entering filter conditions. Alternatively, select **Filter** or **Exclude** to filter by a field value. These buttons appear when you hover the analytics data legend.
-
-To manually add a filter:
-
-1. Under **Security Events**, select **Add filter**.
-2. Select a field, an operator, and a value. For example, to filter events by IP address, select *IP* for **Action**, select *equals* for the operator, and enter the IP address.
-3. Select **Apply**.
-
-Take the following into account when entering filter values:
-
-* Do not add quotes around values.
-* Do not enter the `AS` prefix when entering ASN numbers. For example, enter `1423` instead of `AS1423`.
-* Wildcards are not supported.
-
-### Adjust report duration
-
-To adjust report duration, select the desired duration from the dropdown in **Security Events**.
-
-The available report duration values depend on your Cloudflare plan. Refer to [Availability](/waf/analytics/security-events/#availability) for details.
diff --git a/src/content/partials/waf/analytics-share-url.mdx b/src/content/partials/waf/analytics-share-url.mdx
deleted file mode 100644
index 707f64461674327..000000000000000
--- a/src/content/partials/waf/analytics-share-url.mdx
+++ /dev/null
@@ -1,10 +0,0 @@
----
-{}
-
----
-
-When you add a filter and specify a report duration (time window) in Security Events, the Cloudflare dashboard URL changes to reflect the parameters you configured. You can share that URL with other users so that they can analyze the same information that you see.
-
-For example, after adding a filter for `Action equals Managed Challenge` and setting the report duration to 72 hours, the URL should look like the following:
-
-`https://dash.cloudflare.com/{account_id}/example.net/security/events?action=managed_challenge&time-window=4320`
diff --git a/src/content/plans/index.json b/src/content/plans/index.json
index 4fd7be10739c6d7..b18957cef38f3cc 100644
--- a/src/content/plans/index.json
+++ b/src/content/plans/index.json
@@ -1530,7 +1530,7 @@
},
"dashboard_features": {
"title": "Dashboard features",
- "free": "Activity log only",
+ "free": "Sampled logs only",
"pro": "All",
"biz": "All",
"ent": "All"
diff --git a/src/content/release-notes/waf-general.yaml b/src/content/release-notes/waf-general.yaml
index c7eaba61a447374..061e76c61a01b9b 100644
--- a/src/content/release-notes/waf-general.yaml
+++ b/src/content/release-notes/waf-general.yaml
@@ -18,7 +18,7 @@ entries:
- publish_date: "2024-11-14"
title: Security Events pagination
description: |-
- Fixed an issue with pagination in Security Events' activity log where some pages were missing data. Also removed the total count from the activity log as these are only sampled logs.
+ Fixed an issue with pagination in Security Events' sampled logs where some pages were missing data. Also removed the total count from the events log as these are only sampled logs.
- publish_date: "2024-11-04"
title: New table in Security Analytics and Security Events
description: |-