Cloudflare¶
About¶
Cloudflare secures and ensures the reliability of external-facing resources such as websites, APIs, and applications. It protects internal resources such as behind-the-firewall applications, teams, and devices. It can be a platform for developing globally-scalable applications.
Product Details¶
Vendor URL: Cloudflare
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Log Guide: Cloudflare Logpush
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: CLOUDFLARE
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
AccountID | target.resource.id |
Action | security_result.action |
ActionResult | security_result.action |
ActionType | security_result.description |
ActorEmail | principal.user.email_addresses |
ActorID | principal.user.product_object_id |
ActorIP | principal.ip |
BlockedFileHash | target.file.md5 |
BlockedFileHash | target.file.sha1 |
BlockedFileHash | target.file.sha256 |
BlockedFileName | security_result.about.file.full_path |
BlockedFileReason | security_result.summary |
BlockedFileSize | target.file.size |
BotScore | security_result.risk_score |
ClientCountry | principal.location.country_or_region |
ClientIP | principal.ip |
ClientDeviceType | src.asset.type |
ClientRequestBytes | network.sent_bytes |
ClientRequestHost | target.hostname |
ClientRequestHost | target.url |
ClientRequestMethod | network.http.method |
ClientRequestPath | security_result.about.labels.value |
ClientRequestProtocol | network.application_protocol |
ClientRequestReferer | network.http.referral_url |
ClientRequestURI | target.url |
ClientRequestUserAgent | network.http.user_agent |
ClientSrcPort | principal.port |
Datetime | metadata.event_timestamp |
DestinationIP | target.ip |
DestinationPort | target.port |
DeviceID | principal.asset_id |
DownloadFileNames | security_result.about.labels.value |
DstIP | target.ip |
DstPort | target.port |
EdgeResponseBytes | network.received_bytes |
EdgeResponseStatus | network.http.response_code |
EdgeServerIP | target.ip |
EdgeStartTimestamp | metadata.event_timestamp |
principal.user.email_addresses | |
FirewallMatchesActions | security_result.action |
FirewallMatchesRuleIDs | security_result.rule_id |
FirewallMatchesSources | security_result.rule_type |
HTTPHost | target.hostname |
HTTPMethod | network.http.method |
HTTPVersion | network.application_protocol |
ID | metadata.product_log_id |
IsIsolated | security_result.about.labels.value |
Location | principal.location.name |
Metadata | security_result.about.labels.value |
NewValue | security_result.about.labels.value |
OldValue | security_result.about.labels.value |
OwnerID | target.user.product_object_id |
Policy | security_result.rule_name |
PolicyID | security_result.rule_id |
Protocol | network.application_protocol |
QueryCategoryIDs | security_result.about.labels.value |
QueryName | network.dns.questions.name |
QueryNameReversed | network.dns.questions.name |
QuerySize | network.sent_bytes |
QueryType | network.dns.questions.type |
RayID | metadata.product_log_id |
RData.data | network.dns.answers.data |
RData.type | network.dns.answers.type |
Referer | network.http.referral_url |
RequestID | metadata.product_log_id |
ResolverDecision | security_result.summary |
ResourceID | target.resource.id |
ResourceType | target.resource.resource_subtype |
SecurityLevel | security_result.severity |
SourceIP | principal.ip |
SourcePort | principal.port |
SrcIP | principal.ip |
SrcPort | principal.port |
UploadedFileNames | security_result.about.labels.value |
URL | target.url |
UserAgent | network.http.user_agent |
UserID | principal.user.product_object_id |
WAFAction | security_result.about.labels.value |
WAFRuleMessage | security_result.rule_name |
ZoneID | security_result.about.labels.value |
ZoneName | security_result.about.labels.value |
Product Event Types¶
raw log type | UDM Event Type |
---|---|
all others | NETWORK_CONNECTION |
audit | USER_RESOURCE_ACCESS |
audit | USER_RESOURCE_UPDATE_CONTENT |
dns | NETWORK_DNS |
http | NETWORK_CONNECTION |
Log Sample¶
{"ClientASN":asn,"ClientCountry":"us","ClientIP":"10.0.0.8","ClientRequestHost":"website.domain1.com","ClientRequestMethod":"GET","ClientRequestURI":"website.domain2.com","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36","EdgeEndTimestamp":"2022-03-04T14:29:10Z","EdgeResponseBytes":1102,"EdgeResponseStatus":304,"EdgeStartTimestamp":"2022-03-04T14:29:10Z","FirewallMatchesActions":["allow"],"FirewallMatchesRuleIDs":["a9w9k110048"],"FirewallMatchesSources":["firewallRules"],"RayID":"alqddd1114","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":""}
Sample Parsing¶
metadata.product_log_id = "alqddd1114"
metadata.event_timestamp = "2022-03-04T14:29:10Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_name = "Cloudflare"
metadata.ingested_timestamp = "2022-03-04T14:39:29.926402Z"
principal.ip = "10.0.0.8"
principal.location.country_or_region = "us"
principal.asset.ip = "10.0.0.8"
target.hostname = "website.domain1.com"
target.url = "website.domain1.comwebsite.domain2.com"
target.asset.hostname = "virtual-coach"
observer.hostname = "CLOUDFLARE"
security_result.about.labels.key = "WAF Action"
security_result.about.labels.value = "unknown"
security_result.action = "ALLOW"
security_result.rule_id = "a9w9k110048"
security_result.rule_type = "firewallRules"
network.received_bytes = 1102
network.http.method = "GET"
network.http.user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"
network.http.response_code = 304