Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Cloudflare HTTP | ✅ | ✅ | cloudflare_http | NDJSON | S3 | ||
Cloudflare Firewall | ✅ | cloudflare_firewall | NDJSON | S3 | |||
Cloudflare DNS | ✅ | ✅ | cloudflare_dns | NDJSON | S3 | ||
Cloudflare Spectrum | ✅ | cloudflare_spectrum | NDJSON | S3 | |||
Cloudflare Access Requests | ✅ | Cloudflare Access Requests | NDJSON | S3 | |||
Cloudflare Audit Logs | ✅ | cloudflare_audit_logs | NDJSON | S3 | |||
Cloudflare Gateway HTTP Requests | ✅ | ✅ | cloudflare_gateway_http | NDJSON | S3 | ||
Cloudflare Zero Trust Network Sessions | ✅ | ✅ | cloudflare_zero_trust_network_sessions | NDJSON | S3 |
Overview
Cloudflare acts as an intermediary between a client and a server, using a reverse proxy to mirror and cache websites. By storing web content for delivery on the closest edge server, it is able to optimize loading times. That also allows it to modify content, such as images and rich text, for better performance
This data source is used in the Hunters Pipeline for detection and investigation regarding the logged activity in the organization's network.
Supported data types
Cloudflare HTTP
Table name: cloudflare_http
Cloudflare's HTTP logs, also known as web traffic logs, are detailed records of all HTTP(S) requests processed by Cloudflare's network for a website or application. These logs are crucial for website owners and developers for several reasons, including security analysis, performance optimization, troubleshooting, and compliance reporting. Cloudflare, as a global content delivery network (CDN) and security company, provides these logs as part of its services to help users understand and manage their web traffic more effectively.
Learn more here.
Cloudflare Firewall
Table name: cloudflare_firewall
Cloudflare Firewall logs provide detailed insights into the security events related to web traffic that Cloudflare's suite of security tools handles. These logs are a critical component of Cloudflare's offerings, particularly for users looking to secure their websites, applications, and APIs against malicious activities and threats. Cloudflare's firewall encompasses several security features, including the Web Application Firewall (WAF), DDoS protection, rate limiting, and access rules, among others. The logs generated by these tools are invaluable for understanding threat patterns, auditing security policies, and troubleshooting security-related issues.
Learn more here.
Cloudflare DNS
Table name: cloudflare_dns
Cloudflare's DNS logs pertain to the detailed records of DNS queries and responses handled by Cloudflare's network. As a leading internet performance and security company, Cloudflare offers DNS services that are integral to its suite of products designed to enhance the speed, reliability, and security of websites and internet services. These logs are critical for understanding DNS traffic patterns, identifying potential security threats, and troubleshooting DNS-related issues.
Learn more here.
Cloudflare Spectrum
Table name: cloudflare_spectrum
Cloudflare Spectrum logs provide detailed insights into the traffic that Spectrum protects and accelerates. These logs are essential for monitoring, security analysis, and troubleshooting of non-web applications.
Learn more here.
Cloudflare Access Requests
Table name: cloudflare_access_requests
Cloudflare Access Requests logs capture authentication and authorization events for applications protected by Cloudflare Access. These logs include details such as user identity, access method, request timestamps, and policy decisions (granted or denied). They help organizations monitor access attempts, enforce security policies, and audit user activity for compliance.
Cloudflare Audit Logs
Table name: cloudflare_audit_logs
Cloudflare Audit Logs record administrative actions taken within a Cloudflare account, including configuration changes, user management updates, and security policy modifications. These logs provide visibility into who made changes, what actions were performed, and when they occurred, helping organizations track activity, enforce compliance, and investigate security incidents.
Cloudflare Gateway HTTP Requests
Table name: cloudflare_gateway_http
Cloudflare Gateway HTTP Requests logs capture detailed information about web traffic passing through Cloudflare’s secure web gateway. These logs include request URLs, methods, response codes, user identities, threat detections, and policy enforcement actions. They help organizations monitor and control web access, detect malicious activity, and enforce security policies.
Cloudflare Zero Trust Network Sessions
Table name: cloudflare_zero_trust_network_sessions
Cloudflare Zero Trust Network Sessions provide secure, identity-aware access to internal applications and services without relying on traditional VPNs. Each session is tightly scoped and authenticated using user identity, device posture, and contextual policies, ensuring that only authorized users and devices can access specific resources. By enforcing granular controls and logging every session, Cloudflare strengthens security, reduces attack surface, and improves visibility across your network environment.
Send data to Hunters
Hunters supports the ingestion of Cloudflare logs via an intermediary AWS S3 bucket.
To connect Cloudflare logs:
Export your logs from Cloudflare to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Data should be collected in a NDJSON format. When prompted by Cloudflare to choose the field names to be exported, please choose to export all fields to the bucket. If there is a storage restriction, please make sure the following groups of fields are exported (all columns within the following groups):
Client, ClientRequest, Edge, Firewall, Origin, OriginResponse, WAF
Do note that supplying a partial subset of the columns might result in content not being fully deployed in your environment.
Cloudflare HTTP example
{"ClientIP":"1.1.1.1","ClientRequestHost":"url.com:7634","ClientRequestMethod":"GET","ClientRequestURI":"String","EdgeEndTimestamp":"2021-12-15T15:34:52Z","EdgeResponseBytes":3792,"EdgeResponseStatus":504,"EdgeStartTimestamp":"2021-12-15T15:33:51Z","RayID":"469a0877e07db07","BotTags":[],"CacheCacheStatus":"unknown","CacheResponseBytes":7325,"CacheResponseStatus":504,"CacheTieredFill":false,"ClientASN":5682,"ClientCountry":"","ClientDeviceType":"desktop","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRequestBytes":3805,"ClientRequestPath":"String","ClientRequestProtocol":"HTTP/1.1","ClientRequestReferer":"https://www.X.com/","ClientRequestScheme":"https","ClientRequestSource":"String","ClientRequestUserAgent":"Mozilla/5.0(Macintosh;IntelMacOSX10_15_7)AppleWebKit/984.25(KHTML,likeGecko)Chrome/98.0.4589.32Safari/234.54","ClientSSLCipher":"BDEA-BA34ED-FKE","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":568302,"ClientTCPRTTMs":89,"ClientXRequestedWith":"","EdgeCFConnectingO2O":false,"EdgeColoCode":"String","EdgeColoID":45,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"url.com:7634","EdgeResponseBodyBytes":5537,"EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"text/html","EdgeServerIP":"1.1.1.1","EdgeTimeToFirstByteMs":60193,"FirewallMatchesActions":[],"FirewallMatchesRuleIDs":[],"FirewallMatchesSources":[],"OriginDNSResponseTimeMs":2,"OriginIP":"1.1.1.2","OriginRequestHeaderSendDurationMs":0,"OriginResponseBytes":0,"OriginResponseDurationMs":47911,"OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseHeaderReceiveDurationMs":60026,"OriginResponseStatus":504,"OriginResponseTime":47911000000,"OriginSSLProtocol":"TLSv1.2","OriginTCPHandshakeDurationMs":32,"OriginTLSHandshakeDurationMs":56,"ParentRayID":"00","SecurityLevel":"med","SmartRouteColoID":0,"UpperTierColoID":0,"WAFAction":"unknown","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"unknown","WAFRuleID":"","WAFRuleMessage":"","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":3601763,"ZoneName":"String"}
Cloudflare Firewall example
{"Action":"log","ClientASN":701,"ClientASNDescription":"UUNET","ClientCountry":"us","ClientIP":"174.64.104.224","ClientIPClass":"noRecord","ClientRefererHost":"","ClientRefererPath":"","ClientRefererQuery":"","ClientRefererScheme":"","ClientRequestHost":"www.<client>.com","ClientRequestMethod":"POST","ClientRequestPath":"/autodiscover/autodiscover.xml","ClientRequestProtocol":"HTTP/1.1","ClientRequestQuery":"","ClientRequestScheme":"https","ClientRequestUserAgent":"MicrosoftOffice/16.0(WindowsNT10.0;MicrosoftOutlook16.0.12345;Pro)","Datetime":"2022-04-11T16:23:45Z","EdgeColoCode":"EWR","EdgeResponseStatus":404,"Kind":"firewall","MatchIndex":0,"Metadata":{"filter":"c6d604cb89143be0a43cefa6fa354e8c","type":"customer"},"OriginResponseStatus":404,"OriginatorRayID":"00","RayID":"6ea82953cc945c81","RuleID":"249936d33e9c4bf6918f2e75f12f3c46","Source":"firewallrules"}
Cloudflare DNS example
{"ColoCode":"ATL","EDNSSubnet":"","EDNSSubnetLength":0,"QueryName":"www.<costumer>.com","QueryType":65535,"ResponseCached":false,"ResponseCode":0,"SourceIP":"127.0.0.1","Timestamp":"2022-04-11T23:59:50Z"}
Cloudflare Spectrum example
{"Application": "112233abb44c5e66778c99001efeed22", "ClientAsn": 12345, "ClientBytes": 0, "ClientCountry": "us", "ClientIP": "1.123.123.12", "ClientMatchedIpFirewall": "ALLOW", "ClientPort": 11223, "ClientProto": "tcp", "ColoCode": "ORD", "ConnectTimestamp": 1676589297769000000, "DisconnectTimestamp": 0, "Event": "connect", "OriginBytes": 0, "OriginIP": "::ffff:11.222.333.44", "OriginPort": 11, "OriginProto": "tcp", "Status": 0, "Timestamp": 1676589297000000000}
Cloudflare Access Requests example
{"Action":"warpEnrollment","Allowed":true,"AppDomain":"secure.exampleaccess.com/warp","AppUUID":"a1b2c3d4-e5f6-7890-gh12-34ijklmnopqr","Connection":"saml","Country":"us","CreatedAt":"2024-11-08T16:01:11Z","Email":"user.name@example.com","IPAddress":"192.0.2.123","PurposeJustificationPrompt":"","PurposeJustificationResponse":"","RayID":"abcd1234efgh5678","TemporaryAccessApprovers":[],"TemporaryAccessDuration":0,"UserUID":"z9y8x7w6-v5u4-3210-abcd-efghijklmnop"}Cloudflare Audit Logs example
{"ActionResult":true,"ActionType":"gateway_update","ActorEmail":"user.example@domain.com","ActorID":"9a8b7c6d5e4f3g2h1i0j","ActorIP":"2001:db8:85a3::8a2e:370:7334","ActorType":"user","ID":"f1e2d3c4-b5a6-7890-1234-56789abcdef0","Interface":"UI","Metadata":{"account_id":"a1b2c3d4e5f6g7h8i9j0","actor_email":"admin.user@domain.com"},"NewValue":{"id":"z9y8x7w6-v5u4-3210-abcd-efghijklmnop","name":"net-block-malicious","description":"Blocks known malicious IPs and suspicious traffic","precedence":900,"enabled":true,"action":"block","filters":["l4"],"created_at":"2024-06-15T14:22:10Z","updated_at":"2025-01-05T10:45:30Z","deleted_at":null,"conditions":[{"id":"abcd1234-5678-9ef0-ghij-klmnopqrstuv","type":"traffic","expression":{"or":[{"in":{"lhs":"net.dst.ip","rhs":"$iplist-known-threats"}},{"in":{"lhs":"net.dst.ip","rhs":"$iplist-suspicious"}}]},"created_at":"2025-01-05T10:45:30Z","updated_at":"2025-01-05T10:45:30Z","deleted_at":null}],"traffic":"net.dst.ip in $iplist-known-threats or net.dst.ip in $iplist-suspicious","device_posture":"not(any(device_posture.checks.passed[*] == \"security-check-12345\"))","version":2,"rule_settings":{"block_page_enabled":true,"block_reason":"Suspicious network activity detected.","notification_settings":{"enabled":true,"msg":"Network request blocked due to security policies.","support_url":"https://support.example.com/security-alerts"}}},"OldValue":{"id":"z9y8x7w6-v5u4-3210-abcd-efghijklmnop","name":"net-block-malicious","description":"Blocks known malicious IPs","precedence":850,"enabled":true,"action":"block","filters":["l4"],"created_at":"2024-06-15T14:22:10Z","updated_at":"2024-12-30T09:18:45Z","deleted_at":null},"OwnerID":"p1q2r3s4t5u6v7w8x9y0","ResourceID":"z9y8x7w6-v5u4-3210-abcd-efghijklmnop","ResourceType":"gateway.rule","When":"2025-01-05T10:45:30Z"}Cloudflare Gateway HTTP Requests example
{"AccountID":"a1b2c3d4e5f67890g123456789abcd","Action":"allow","BlockedFileHash":"","BlockedFileName":"","BlockedFileReason":"unknown","BlockedFileSize":0,"Datetime":"2024-05-28T07:13:04Z","DestinationIP":"2001:db8:abcd:4002::1a2b","DestinationPort":443,"DeviceID":"x9y8z7w6-v5u4-3210-bcde-fghijklmnopqr","DeviceName":"WORKSTATION-L-12345ABC","DownloadedFileNames":["<unknown file name>"],"Email":"user.name@example.com","FileInfo":{"files":[{"direction":"download","file_name":"<unknown file name>","file_size":0,"content_type":"text/html","action":"allow"}]},"HTTPHost":"example-host.com","HTTPMethod":"OPTIONS","HTTPStatusCode":200,"HTTPVersion":"HTTP/2","IsIsolated":false,"PolicyID":"123abc456-def7-890g-123h456ijklm","PolicyName":"allow-categories","Referer":"https://drive.example.com/","RequestID":"abcd1234efgh5678ijkl9012mnop3456","SessionID":"mnop3456ijkl9012efgh5678abcd1234","SourceInternalIP":"","SourceIP":"192.0.2.123","SourcePort":54321,"UntrustedCertificateAction":"none","UploadedFileNames":[],"URL":"https://example.com/sample_page","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","UserID":"zyxw9876-v5u4-3210-abcd-efghijklmnop"}Cloudflare Zero Trust Network Sessions
{"AccountID":"REDACTED_ACCOUNT_ID","BytesReceived":4651,"BytesSent":7848,"ClientTCPHandshakeDurationMs":81,"ClientTLSCipher":"","ClientTLSHandshakeDurationMs":0,"ClientTLSVersion":"none","ConnectionCloseReason":"CLIENT_CLOSED","ConnectionReuse":false,"DestinationTunnelID":"00000000-0000-0000-0000-000000000000","DeviceID":"REDACTED_DEVICE_ID","DeviceName":"REDACTED_DEVICE_NAME","EgressColoName":"IND","EgressIP":"xxx.xxx.xxx.xxx","EgressPort":12345,"EgressRuleID":"00000000-0000-0000-0000-000000000000","EgressRuleName":"","Email":"user@redacted.com","IngressColoName":"MIA","Offramp":"INTERNET","OriginIP":"xxx.xxx.xxx.xxx","OriginPort":443,"OriginTLSCertificateIssuer":"","OriginTLSCertificateValidationResult":"NONE","OriginTLSCipher":"","OriginTLSHandshakeDurationMs":0,"OriginTLSVersion":"none","Protocol":"TCP","RuleEvaluationDurationMs":4,"SessionEndTime":"2024-06-30T23:21:45Z","SessionID":"REDACTED_SESSION_ID","SessionStartTime":"2024-06-30T23:21:45Z","SourceInternalIP":"","SourceIP":"xxx.xxx.xxx.xxx","SourcePort":12345,"UserID":"REDACTED_USER_ID","VirtualNetworkID":"REDACTED_VNET_ID"}