In this page find an explanation on integrating your CloudFlare HTTP data source to Hunters. This table holds information about HTTP requests and responses by CloudFlare. For more information on the data schema see here.

This data source is used in the Hunters Pipeline for detection and investigation related to HTTP requests to relevant appliances in the organization's network.

Sending Data to Hunters

The CloudFlare HTTP data should be shipped to an S3 bucket shared with Hunters, following this guide.

Data should be pushed in an NDJSON format. When choosing field names to be exported, it is recommended to export all fields to the bucket. If there is a storage restriction, make sure the following groups of fields are exported (all columns within the following groups):

  1. Client

  2. ClientRequest

  3. Edge

  4. Firewall

  5. Origin

  6. OriginResponse

  7. WAF

Do note that supplying a partial subset of the columns might result in content not being fully deployed in your environment.

Once data is being shipped to the bucket in the correct format, the bucket details should be shared with Hunters for completing the integration.

An example of CloudFlare HTTP:

    "ClientIP": "",
    "ClientRequestHost": "url.com:7634",
    "ClientRequestMethod": "GET",
    "ClientRequestURI": "String",
    "EdgeEndTimestamp": "2021-12-15T15:34:52Z",
    "EdgeResponseBytes": 3792,
    "EdgeResponseStatus": 504,
    "EdgeStartTimestamp": "2021-12-15T15:33:51Z",
    "RayID": "469a0877e07db07",
    "BotTags": [],
    "CacheCacheStatus": "unknown",
    "CacheResponseBytes": 7325,
    "CacheResponseStatus": 504,
    "CacheTieredFill": false,
    "ClientASN": 5682,
    "ClientCountry": "",
    "ClientDeviceType": "desktop",
    "ClientIPClass": "noRecord",
    "ClientMTLSAuthCertFingerprint": "",
    "ClientMTLSAuthStatus": "unknown",
    "ClientRequestBytes": 3805,
    "ClientRequestPath": "String",
    "ClientRequestProtocol": "HTTP/1.1",
    "ClientRequestReferer": "https://www.X.com/",
    "ClientRequestScheme": "https",
    "ClientRequestSource": "String",
    "ClientRequestUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/984.25 (KHTML, like Gecko) Chrome/98.0.4589.32 Safari/234.54",
    "ClientSSLCipher": "BDEA-BA34ED-FKE",
    "ClientSSLProtocol": "TLSv1.3",
    "ClientSrcPort": 568302,
    "ClientTCPRTTMs": 89,
    "ClientXRequestedWith": "",
    "EdgeCFConnectingO2O": false,
    "EdgeColoCode": "String",
    "EdgeColoID": 45,
    "EdgePathingOp": "wl",
    "EdgePathingSrc": "macro",
    "EdgePathingStatus": "nr",
    "EdgeRateLimitAction": "",
    "EdgeRateLimitID": 0,
    "EdgeRequestHost": "url.com:7634",
    "EdgeResponseBodyBytes": 5537,
    "EdgeResponseCompressionRatio": 1,
    "EdgeResponseContentType": "text/html",
    "EdgeServerIP": "",
    "EdgeTimeToFirstByteMs": 60193,
    "FirewallMatchesActions": [],
    "FirewallMatchesRuleIDs": [],
    "FirewallMatchesSources": [],
    "OriginDNSResponseTimeMs": 2,
    "OriginIP": "",
    "OriginRequestHeaderSendDurationMs": 0,
    "OriginResponseBytes": 0,
    "OriginResponseDurationMs": 47911,
    "OriginResponseHTTPExpires": "",
    "OriginResponseHTTPLastModified": "",
    "OriginResponseHeaderReceiveDurationMs": 60026,
    "OriginResponseStatus": 504,
    "OriginResponseTime": 47911000000,
    "OriginSSLProtocol": "TLSv1.2",
    "OriginTCPHandshakeDurationMs": 32,
    "OriginTLSHandshakeDurationMs": 56,
    "ParentRayID": "00",
    "SecurityLevel": "med",
    "SmartRouteColoID": 0,
    "UpperTierColoID": 0,
    "WAFAction": "unknown",
    "WAFFlags": "0",
    "WAFMatchedVar": "",
    "WAFProfile": "unknown",
    "WAFRuleID": "",
    "WAFRuleMessage": "",
    "WorkerCPUTime": 0,
    "WorkerStatus": "unknown",
    "WorkerSubrequest": false,
    "WorkerSubrequestCount": 0,
    "ZoneID": 3601763,
    "ZoneName": "String"