fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflar…

…e blocked alerts due to cloudflare having blocked the request (#769) * fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflare blocked alerts due to cloudflare having blocked the requests * chore: tweak the request volume for cloudflare + bots + greynoise
panther-labs · Jun 2, 2023 · e1ebc2d · e1ebc2d
1 parent 2d9059d
commit e1ebc2d
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 8 deletions.
diff --git a/packs/cloudflare.yml b/packs/cloudflare.yml
@@ -5,8 +5,6 @@ Description: Group of all Cloudflare detections
 PackDefinition:
   IDs:
     - Cloudflare.Firewall.L7DDoS
-    - Cloudflare.Firewall.HighVolumeEventsBlocked
-    - Cloudflare.Firewall.HighVolumeEventsBlockedGreyNoise
     - Cloudflare.Firewall.SuspiciousEventGreyNoise
     - Cloudflare.HttpRequest.BotHighVolume
     - Cloudflare.HttpRequest.BotHighVolumeGreyNoise

diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked.yml
@@ -1,7 +1,7 @@
 AnalysisType: rule
 Filename: cloudflare_firewall_high_volume_events_blocked.py
 RuleID: "Cloudflare.Firewall.HighVolumeEventsBlocked"
-DisplayName: "Cloudflare - High Volume Events Blocked"
+DisplayName: "--DEPRECATED-- Cloudflare - High Volume Events Blocked"
 Enabled: false
 LogTypes:
   - Cloudflare.Firewall

diff --git a/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml b/rules/cloudflare_rules/cloudflare_firewall_high_volume_events_blocked_greynoise.yml
@@ -1,8 +1,8 @@
 AnalysisType: rule
 Filename: cloudflare_firewall_high_volume_events_blocked_greynoise.py
 RuleID: "Cloudflare.Firewall.HighVolumeEventsBlockedGreyNoise"
-DisplayName: "Cloudflare High Volume Events Blocked - GreyNoise"
-Enabled: true
+DisplayName: "--DEPRECATED-- Cloudflare High Volume Events Blocked - GreyNoise"
+Enabled: false
 LogTypes:
   - Cloudflare.Firewall
 Tags:

diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml
@@ -8,10 +8,10 @@ LogTypes:
 Tags:
   - Cloudflare
 Severity: Low
-Description: Monitors for high volume of likely automated HTTP Requests
+Description: Monitors for bots making HTTP Requests at a rate higher than 2req/sec
 Runbook: Inspect and monitor internet-facing services for potential outages
 DedupPeriodMinutes: 60 # 1 hour
-Threshold:  600
+Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes:
   - ClientIP
   - ClientRequestUserAgent

diff --git a/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml b/rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume_greynoise.yml
@@ -12,7 +12,7 @@ Severity: Low
 Description: Monitors for high volume of likely automated HTTP Requests with GreyNoise enrichment
 Runbook: Inspect and monitor internet-facing services for potential outages
 DedupPeriodMinutes: 60 # 1 hour
-Threshold:  600
+Threshold:  7560 # 2req/sec is 7200 + 5% for just-in-case
 SummaryAttributes:
   - ClientIP
   - ClientRequestUserAgent