Cloudflare¶
About¶
Cloudflare secures and ensures the reliability of external-facing resources such as websites, APIs, and applications. It protects internal resources such as behind-the-firewall applications, teams, and devices. It can be a platform for developing globally-scalable applications.
Product Details¶
Vendor URL: Cloudflare
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Log Guide: Cloudflare Logpush
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: CLOUDFLARE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AccountID | target.resource.id |
| Action | security_result.action |
| ActionResult | security_result.action |
| ActionType | security_result.description |
| ActorEmail | principal.user.email_addresses |
| ActorID | principal.user.product_object_id |
| ActorIP | principal.ip |
| BlockedFileHash | target.file.md5 |
| BlockedFileHash | target.file.sha1 |
| BlockedFileHash | target.file.sha256 |
| BlockedFileName | security_result.about.file.full_path |
| BlockedFileReason | security_result.summary |
| BlockedFileSize | target.file.size |
| BotScore | security_result.risk_score |
| ClientCountry | principal.location.country_or_region |
| ClientIP | principal.ip |
| ClientDeviceType | src.asset.type |
| ClientRequestBytes | network.sent_bytes |
| ClientRequestHost | target.hostname |
| ClientRequestHost | target.url |
| ClientRequestMethod | network.http.method |
| ClientRequestPath | security_result.about.labels.value |
| ClientRequestProtocol | network.application_protocol |
| ClientRequestReferer | network.http.referral_url |
| ClientRequestURI | target.url |
| ClientRequestUserAgent | network.http.user_agent |
| ClientSrcPort | principal.port |
| Datetime | metadata.event_timestamp |
| DestinationIP | target.ip |
| DestinationPort | target.port |
| DeviceID | principal.asset_id |
| DownloadFileNames | security_result.about.labels.value |
| DstIP | target.ip |
| DstPort | target.port |
| EdgeResponseBytes | network.received_bytes |
| EdgeResponseStatus | network.http.response_code |
| EdgeServerIP | target.ip |
| EdgeStartTimestamp | metadata.event_timestamp |
| principal.user.email_addresses | |
| FirewallMatchesActions | security_result.action |
| FirewallMatchesRuleIDs | security_result.rule_id |
| FirewallMatchesSources | security_result.rule_type |
| HTTPHost | target.hostname |
| HTTPMethod | network.http.method |
| HTTPVersion | network.application_protocol |
| ID | metadata.product_log_id |
| IsIsolated | security_result.about.labels.value |
| Location | principal.location.name |
| Metadata | security_result.about.labels.value |
| NewValue | security_result.about.labels.value |
| OldValue | security_result.about.labels.value |
| OwnerID | target.user.product_object_id |
| Policy | security_result.rule_name |
| PolicyID | security_result.rule_id |
| Protocol | network.application_protocol |
| QueryCategoryIDs | security_result.about.labels.value |
| QueryName | network.dns.questions.name |
| QueryNameReversed | network.dns.questions.name |
| QuerySize | network.sent_bytes |
| QueryType | network.dns.questions.type |
| RayID | metadata.product_log_id |
| RData.data | network.dns.answers.data |
| RData.type | network.dns.answers.type |
| Referer | network.http.referral_url |
| RequestID | metadata.product_log_id |
| ResolverDecision | security_result.summary |
| ResourceID | target.resource.id |
| ResourceType | target.resource.resource_subtype |
| SecurityLevel | security_result.severity |
| SourceIP | principal.ip |
| SourcePort | principal.port |
| SrcIP | principal.ip |
| SrcPort | principal.port |
| UploadedFileNames | security_result.about.labels.value |
| URL | target.url |
| UserAgent | network.http.user_agent |
| UserID | principal.user.product_object_id |
| WAFAction | security_result.about.labels.value |
| WAFRuleMessage | security_result.rule_name |
| ZoneID | security_result.about.labels.value |
| ZoneName | security_result.about.labels.value |
Product Event Types¶
| raw log type | UDM Event Type |
|---|---|
| all others | NETWORK_CONNECTION |
| audit | USER_RESOURCE_ACCESS |
| audit | USER_RESOURCE_UPDATE_CONTENT |
| dns | NETWORK_DNS |
| http | NETWORK_CONNECTION |
Log Sample¶
{"ClientASN":asn,"ClientCountry":"us","ClientIP":"10.0.0.8","ClientRequestHost":"website.domain1.com","ClientRequestMethod":"GET","ClientRequestURI":"website.domain2.com","ClientRequestUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36","EdgeEndTimestamp":"2022-03-04T14:29:10Z","EdgeResponseBytes":1102,"EdgeResponseStatus":304,"EdgeStartTimestamp":"2022-03-04T14:29:10Z","FirewallMatchesActions":["allow"],"FirewallMatchesRuleIDs":["a9w9k110048"],"FirewallMatchesSources":["firewallRules"],"RayID":"alqddd1114","WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":""}
Sample Parsing¶
metadata.product_log_id = "alqddd1114"
metadata.event_timestamp = "2022-03-04T14:29:10Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_name = "Cloudflare"
metadata.ingested_timestamp = "2022-03-04T14:39:29.926402Z"
principal.ip = "10.0.0.8"
principal.location.country_or_region = "us"
principal.asset.ip = "10.0.0.8"
target.hostname = "website.domain1.com"
target.url = "website.domain1.comwebsite.domain2.com"
target.asset.hostname = "virtual-coach"
observer.hostname = "CLOUDFLARE"
security_result.about.labels.key = "WAF Action"
security_result.about.labels.value = "unknown"
security_result.action = "ALLOW"
security_result.rule_id = "a9w9k110048"
security_result.rule_type = "firewallRules"
network.received_bytes = 1102
network.http.method = "GET"
network.http.user_agent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36"
network.http.response_code = 304
Rules¶
Coming soon