Skip to content

Cloudflare

Cloudflare

About

Cloudflare secures and ensures the reliability of external-facing resources such as websites, APIs, and applications. It protects internal resources such as behind-the-firewall applications, teams, and devices. It can be a platform for developing globally-scalable applications.

Product Details

Vendor URL: Cloudflare

Product Type: SaaS

Product Tier: Tier III

Integration Method: Custom

Log Guide: Cloudflare Logpush

Parser Details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: CLOUDFLARE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AccountID target.resource.id
Action security_result.action
ActionResult security_result.action
ActionType security_result.description
ActorEmail principal.user.email_addresses
ActorID principal.user.product_object_id
ActorIP principal.ip
BlockedFileHash target.file.md5
BlockedFileHash target.file.sha1
BlockedFileHash target.file.sha256
BlockedFileName security_result.about.file.full_path
BlockedFileReason security_result.summary
BlockedFileSize target.file.size
BotScore security_result.risk_score
ClientCountry principal.location.country_or_region
ClientIP principal.ip
ClientDeviceType src.asset.type
ClientRequestBytes network.sent_bytes
ClientRequestHost target.hostname
ClientRequestHost target.url
ClientRequestMethod network.http.method
ClientRequestPath security_result.about.labels.value
ClientRequestProtocol network.application_protocol
ClientRequestReferer network.http.referral_url
ClientRequestURI target.url
ClientRequestUserAgent network.http.user_agent
ClientSrcPort principal.port
Datetime metadata.event_timestamp
DestinationIP target.ip
DestinationPort target.port
DeviceID principal.asset_id
DownloadFileNames security_result.about.labels.value
DstIP target.ip
DstPort target.port
EdgeResponseBytes network.received_bytes
EdgeResponseStatus network.http.response_code
EdgeServerIP target.ip
EdgeStartTimestamp metadata.event_timestamp
Email principal.user.email_addresses
FirewallMatchesActions security_result.action
FirewallMatchesRuleIDs security_result.rule_id
FirewallMatchesSources security_result.rule_type
HTTPHost target.hostname
HTTPMethod network.http.method
HTTPVersion network.application_protocol
ID metadata.product_log_id
IsIsolated security_result.about.labels.value
Location principal.location.name
Metadata security_result.about.labels.value
NewValue security_result.about.labels.value
OldValue security_result.about.labels.value
OwnerID target.user.product_object_id
Policy security_result.rule_name
PolicyID security_result.rule_id
Protocol network.application_protocol
QueryCategoryIDs security_result.about.labels.value
QueryName network.dns.questions.name
QueryNameReversed network.dns.questions.name
QuerySize network.sent_bytes
QueryType network.dns.questions.type
RayID metadata.product_log_id
RData.data network.dns.answers.data
RData.type network.dns.answers.type
Referer network.http.referral_url
RequestID metadata.product_log_id
ResolverDecision security_result.summary
ResourceID target.resource.id
ResourceType target.resource.resource_subtype
SecurityLevel security_result.severity
SourceIP principal.ip
SourcePort principal.port
SrcIP principal.ip
SrcPort principal.port
UploadedFileNames security_result.about.labels.value
URL target.url
UserAgent network.http.user_agent
UserID principal.user.product_object_id
WAFAction security_result.about.labels.value
WAFRuleMessage security_result.rule_name
ZoneID security_result.about.labels.value
ZoneName security_result.about.labels.value

Product Event Types

raw log type UDM Event Type
all others NETWORK_CONNECTION
audit USER_RESOURCE_ACCESS
audit USER_RESOURCE_UPDATE_CONTENT
dns NETWORK_DNS
http NETWORK_CONNECTION

Log Sample

{"ClientASN":asn,"ClientCountry":"us","ClientIP":"10.0.0.8","ClientRequestHost":"website.domain1.com","ClientRequestMethod":"GET","ClientRequestURI":"website.domain2.com","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36","EdgeEndTimestamp":"2022-03-04T14:29:10Z","EdgeResponseBytes":1102,"EdgeResponseStatus":304,"EdgeStartTimestamp":"2022-03-04T14:29:10Z","FirewallMatchesActions":["allow"],"FirewallMatchesRuleIDs":["a9w9k110048"],"FirewallMatchesSources":["firewallRules"],"RayID":"alqddd1114","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":""}

Sample Parsing

metadata.product_log_id = "alqddd1114"
metadata.event_timestamp = "2022-03-04T14:29:10Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_name = "Cloudflare"
metadata.ingested_timestamp = "2022-03-04T14:39:29.926402Z"
principal.ip = "10.0.0.8"
principal.location.country_or_region = "us"
principal.asset.ip = "10.0.0.8"
target.hostname = "website.domain1.com"
target.url = "website.domain1.comwebsite.domain2.com"
target.asset.hostname = "virtual-coach"
observer.hostname = "CLOUDFLARE"
security_result.about.labels.key = "WAF Action"
security_result.about.labels.value = "unknown"
security_result.action = "ALLOW"
security_result.rule_id = "a9w9k110048"
security_result.rule_type = "firewallRules"
network.received_bytes = 1102
network.http.method = "GET"
network.http.user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"
network.http.response_code = 304