Ruleset Engine rules language

The CIS Ruleset Engine rules language is a flexible and intuitive specification for building rule expressions. Based on the Wireshark display filters, the rules language allows you to precisely target HTTP requests with a syntax and semantics familiar to security engineers.

Ruleset Engine rules actions

The action of a rule determines how CIS handles matches for the rule expression.

The following table lists the actions available in the Ruleset Engine language:

Available actions
Action	API value	Description	Stops rule evaluation?
Interactive challenge	`challenge`	Useful for ensuring that the visitor accessing the site is human, not automated. The client that made the request must pass an interactive challenge. If successful, CIS accepts the matched request; otherwise, it is blocked.	Yes
JS Challenge	`js_challenge`	Useful for ensuring that bots and spam can't access the requested resource; browsers, however, are free to satisfy the challenge automatically. The client that made the request must pass a JavaScript challenge before proceeding. If successful, CIS accepts the matched request; otherwise, it is blocked.	Yes
Managed challenge (recommended)	`managed_challenge`	Helps reduce the time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, CIS will dynamically choose the appropriate type of challenge from the following actions based on specific criteria: Show a non-interactive challenge page (similar to the current JS challenge). Show a custom interactive challenge (for example, clicking a button).	Yes
Block	`block`	Matching requests are denied access to the site.	Yes
Skip	`skip`	Allows user to dynamically skip one or more security features or products for a request. Depending on the rule configuration, matching requests will skip the evaluation of one or more security features or products: Skip all remaining rules in the current ruleset Skip rulesets Skip rules of a ruleset Skip phases Skip specific security products that are not based on the Ruleset Engine The available skip options depend on the phase where you configure the rule.	No (However, some rules might be skipped)
Log	`log`	Records matching requests in the CIS logs. Only available on Enterprise plans. Recommended for validating rules before committing to a more severe action.	No
Execute	`execute`	Executes the rules in the ruleset specified in the rule configuration. You can specify a managed ruleset or a custom ruleset to execute. In the CIS UI, this action is not listed in action selection dropdowns.	No
Rewrite	`rewrite`	Adjusts the URI path, query string, and/or HTTP headers of requests and responses, according to the rule configuration. Only available in WAF custom rules checking for exposed credentials, in the `http_request_firewall_custom` phase at the instance level. In the CIS UI, this action is called Exposed-Credential-Check Header.	No