Cloudflare¶
About¶
Cloudflare secures and ensures the reliability of external-facing resources such as websites, APIs, and applications. It protects internal resources such as behind-the-firewall applications, teams, and devices. It can be a platform for developing globally-scalable applications.
Product Details¶
Vendor URL: Cloudflare
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Log Guide: Cloudflare Logs
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: CLOUDFLARE_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| ActionResult | security_result.action |
| ActionType | security_result.description |
| ActorID | principal.user.product_object_id |
| ActorIP | principal.ip |
| ActorType | additional.fields |
| ActorEmail | principal.user.email_addresses |
| ID | metadata.product_log_id |
| Interface | additional.fields |
| Metadata | security_result.about.labels.value |
| Metainfo.Request | security_result.detection_fields |
| Metainfo.user_email | principal.user.email_addresses |
| Metainfo.user_id | principal.user.user_id |
| Metainfo.user_tag | principal.user.product_object_id |
| Metainfo.zone_name | principal.hostname |
| NewValue | security_result.about.labels.value |
| OldValue | security_result.about.labels.value |
| OwnerID | target.user.product_object_id |
| ResourceID | target.resource.id |
| ResourceType | target.resource.resource_subtype |
Product Event Types¶
| raw log type | UDM Event Type |
|---|---|
| Resrouce Data Present | USER_RESOURCE_UPDATE_CONTENT |
| ActorEmail or ActorIP Present | USER_RESOURCE_ACCESS |
| All Metainfo Data Present | USER_UNCATEGORIZED |
| all others | GENERIC_EVENT |
Log Sample¶
{
"ActionResult": true,
"ActionType": "cloudflare_login",
"ActorEmail": "",
"ActorIP": "abcd:abcd:abcd:abcd::22d:c5",
"ActorType": "admin",
"ID": "12345678-abcd-abcd-abcd-abcdabcdab5a",
"Interface": "",
"Metadata": {
"actual_user": {
"user_email": "user@example.com",
"user_id": "2241234563123",
"user_tag": "7229ef7ab7ade8c7edc3b0ab6"
},
"authorization": {
"contact": null,
"description": null,
"reason": null,
"type": null
},
"type": "readonly"
},
"NewValue": {},
"OldValue": {},
"OwnerID": "d5112345678901234567890abcdefd74",
"ResourceID": "712345678901234567890abcdefb0ab6",
"ResourceType": "user",
"When": 1614502168000000000
}
Sample Parsing¶
metadata.product_log_id: "12345678-abcd-abcd-abcd-abcdabcdab5a"
metadata.event_type: USER_RESOURCE_ACCESS
metadata.vendor_name: "Cloudflare"
metadata.product_name: "Cloudflare Audit"
additional.fields["ActorType"]: "admin"
principal.user.product_object_id: "7229ef7ab7ade8c7edc3b0ab6"
principal.user.userid: "2241234563123"
principal.user.email_addresses: "user@example.com"
principal.ip: "abcd:abcd:abcd:abcd::22d:c5"
target.resource.resource_subtype: "user"
target.resource.id: "712345678901234567890abcdefb0ab6"
target.resource.product_object_id: "712345678901234567890abcdefb0ab6"
security_result.about.labels["Metadata"]: "{ \"actual_user\": { \"user_email\": \"user@example.com\", \"user_id\": \"2241234563123\", \"user_tag\": \"7229ef7ab7ade8c7edc3b0ab6\" }, \"authorization\": { \"contact\": null, \"description\": null, \"reason\": null, \"type\": null }, \"type\": \"readonly\" }"
security_result.detection_fields["metainfo type"]: "readonly"
security_result.description: "cloudflare_login"
security_result.action: ALLOW
Rules¶
Coming soon