Collect Cloudflare logs

Supported in:

Overview

This parser handles various Cloudflare log types (DNS, HTTP, Audit, Zero Trust, CASB). It first normalizes common fields and then applies conditional logic based on specific fields like QueryName, Action, and ID to extract and map relevant data to the UDM. It also performs data type conversions, grok matching for IP addresses and hashes, and handles nested JSON payloads.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to Google Cloud IAM.
  • Ensure that you have privileged access to Google Cloud Storage.
  • Ensure that you have privileged access to Cloudflare.

Create a Google Cloud Storage Bucket

  1. Sign in to the Google Cloud console

  2. Go to the Cloud Storage Buckets page.

    Go to Buckets

  3. Click Create.

  4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

    1. In the Get started section, do the following:

      1. Enter a unique name that meets the bucket name requirements (for example, cloudflare-data).
      2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
      1. To add a bucket label, click the expander arrow to expand the Labels section.
      2. Click Add label, and specify a key and a value for your label.

    2. In the Choose where to store your data section, do the following:

      1. Select a Location type.
      2. Use the location type's drop-down to select a Location where object data within your bucket will be permanently stored.
        1. If you select the dual-region location type, you can also choose to enable turbo replication by using the relevant checkbox.
      3. To set up cross-bucket replication, expand the Set up cross-bucket replication section.

    3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

    4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

    5. In the Choose how to protect object data section, do the following:

      1. Select any of the options under Data protection that you want to set for your bucket.
      2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

  5. Click Create.

Create a Google Cloud Service Account

  1. Go to to IAM & Admin > Service Accounts.
  2. Create a new service account.
  3. Give it a descriptive name (For example, cloudflare-logs).
  4. Grant the service account with Storage Object Creator role on the GCS bucket you created in the previous step.
  5. Create an SSH key for the service account.
  6. Download a JSON key file for the service account. Keep this file secure.

Enable Cloudflare IAM to Google Cloud Storage

  1. Go to Storage > Browser > Bucket > Permissions.
  2. Add the member logpush@cloudflare-data.iam.gserviceaccount.com with Storage Object Admin permission.

Configure a feed in Google SecOps to ingest Cloudflare logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, Cloudflare Logs).
  4. Select Google Cloud Storage as the Source type.
  5. Select Cloudflare as the Log type.
  6. Click Get Service Account as the Chronicle Service Account.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Storage Bucket URI: Google Cloud storage bucket URL in gs://my-bucket/<value> format.
    • URI is a: select Directory which includes subdirectories.
    • Source deletion options: select deletion option according to your preference.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

Configure Cloudflare to send logs to Google Cloud Storage

  1. Sign in to the Cloudflare dashboard.
  2. Select the Enterprise account or domain (also known as zone) you want to use with Logpush.
  3. Go to Analytics & Logs > Logpush.
  4. Select Create a Logpush job.
  5. In Select a destination, select Google Cloud Storage.

  6. Enter or select the following destination details:

    • Bucket: GCS bucket name
    • Path: bucket location within the storage container
    • Checkbox: Organize logs into daily subfolders (recommended)

  7. Click Continue.

  8. Ownership verification:

    1. Cloudflare will send a file to your bucket.
    2. Copy and paste the token:
      1. Sign in to Google Cloud console > Storage > Cloudflare bucket.
      2. Open the ownership challenge file.
      3. Copy the Ownership Token.
      4. Enter the ownership token in the Cloudflare console.
      5. Select Continue.
    3. Select the dataset to push to the bucket.

  9. Configure logpush job:

    1. Enter the Job name.
    2. Under If logs match, you can select the events to include and/or remove from your logs.
    1. Send the following fields: Select to push all logs or selectively choose which logs you want to push.

  10. Select Submit to finalize the configuration.

UDM Mapping Table

Log Field UDM Mapping Logic
AccountID target.resource.id, target.resource.product_object_id The account ID associated with the event.
Action security_result.action Action taken based on the event. allow or allowed* results in ALLOW. unknown results in UNKNOWN_ACTION. Other values result in BLOCK. For Access logs, login maps to USER_LOGIN, logout to USER_LOGOUT, and other values to USER_RESOURCE_ACCESS if an email is present.
ActionResult security_result.action If true, maps to ALLOW. If false, maps to BLOCK. Otherwise, maps to UNKNOWN_ACTION.
ActionType security_result.description Description of the action performed.
ActorEmail principal.user.email_addresses Email address of the actor initiating the event.
ActorID principal.user.product_object_id ID of the actor initiating the event.
ActorIP principal.ip, principal.asset.ip IP address of the actor initiating the event.
Allowed security_result.action If true, maps to ALLOW. Otherwise, maps to BLOCK.
AppDomain target.administrative_domain Domain of the application involved in the event.
AppUUID target.resource.product_object_id UUID of the application involved in the event.
AssetDisplayName principal.asset.attribute.labels.value where key is AssetDisplayName Display name of the asset.
AssetExternalID principal.asset_id (prefixed with "Cloudflare:") External ID of the asset.
AssetLink principal.url Link associated with the asset.
AssetMetadata.agreedToTerms principal.user.attribute.labels.value where key is agreedToTerms Whether the user agreed to terms.
AssetMetadata.changePasswordAtNextLogin principal.user.attribute.labels.value where key is changePasswordAtNextLogin Whether the user needs to change password at next login.
AssetMetadata.clientId principal.user.userid Client ID from asset metadata.
AssetMetadata.customerId principal.user.userid Customer ID from asset metadata.
AssetMetadata.familyName principal.user.last_name Family name of the user from asset metadata.
AssetMetadata.givenName principal.user.first_name Given name of the user from asset metadata.
AssetMetadata.includeInGlobalAddressList principal.user.attribute.labels.value where key is includeInGlobalAddressList Whether the user is included in the global address list.
AssetMetadata.ipWhitelisted principal.user.attribute.labels.value where key is ipWhitelisted Whether the user is IP whitelisted.
AssetMetadata.isAdmin principal.user.attribute.labels.value where key is isAdmin Whether the user is an admin.
AssetMetadata.isDelegatedAdmin principal.user.attribute.labels.value where key is isDelegatedAdmin Whether the user is a delegated admin.
AssetMetadata.isEnforcedIn2Sv principal.user.attribute.labels.value where key is isEnforcedIn2Sv Whether 2SV is enforced for the user.
AssetMetadata.isEnrolledIn2Sv principal.user.attribute.labels.value where key is isEnrolledIn2Sv Whether the user is enrolled in 2SV.
AssetMetadata.kind (Not mapped) Not mapped to the IDM object.
AssetMetadata.lastLoginTime principal.user.attribute.labels.value where key is lastLoginTime Last login time of the user.
AssetMetadata.login principal.user.userid Login name from asset metadata.
AssetMetadata.name.familyName principal.user.last_name Family name from asset metadata.
AssetMetadata.name.fullName principal.user.user_display_name Full name from asset metadata.
AssetMetadata.name.givenName principal.user.first_name Given name from asset metadata.
AssetMetadata.nativeApp security_result.detection_fields.value where key is nativeApp Whether the app is native.
AssetMetadata.owner.id principal.user.userid Owner ID from asset metadata.
AssetMetadata.primaryEmail principal.user.email_addresses Primary email from asset metadata.
AssetMetadata.scopes (Not mapped) Not mapped to the IDM object.
AssetMetadata.site_admin principal.user.attribute.labels.value where key is site_admin Whether the user is a site admin.
AssetMetadata.suspended principal.user.attribute.labels.value where key is suspended Whether the user is suspended.
AssetMetadata.url principal.url URL from asset metadata.
AssetMetadata.userKey principal.user.attribute.labels.value where key is userKey User key from asset metadata.
BlockedFileHash target.file.md5, target.file.sha1, target.file.sha256 Hashes of the blocked file. Parsed using grok to extract md5, sha1, or sha256.
BlockedFileName security_result.about.file.full_path Name of the blocked file.
BlockedFileReason security_result.summary Reason for blocking the file.
BlockedFileSize target.file.size Size of the blocked file.
BotScore security_result.detection_fields.value where key is BotScore Bot score assigned to the request.
BytesReceived network.received_bytes Number of bytes received.
BytesSent network.sent_bytes Number of bytes sent.
CacheCacheStatus additional.fields.value.string_value where key is CacheCacheStatus Status of the cache.
CacheResponseBytes additional.fields.value.string_value where key is CacheResponseBytes Number of bytes in the cached response.
CacheResponseStatus additional.fields.value.string_value where key is CacheResponseStatus Status code of the cached response.
ClientASN (Not mapped) Not mapped to the IDM object.
ClientCountry principal.location.country_or_region Client's country.
ClientDeviceType additional.fields.value.string_value where key is ClientDeviceType Type of the client device.
ClientIP principal.ip, principal.asset.ip Client's IP address.
ClientRequestMethod network.http.method HTTP request method used by the client.
ClientRequestHost target.hostname, target.asset.hostname Hostname requested by the client.
ClientRequestPath (Not mapped) Not mapped to the IDM object.
ClientRequestProtocol network.application_protocol Protocol used in the client request (e.g., HTTP, HTTPS). The protocol version is removed.
ClientRequestReferer network.http.referral_url Referrer URL of the client request.
ClientRequestURI target.url (combined with ClientRequestHost if present) URI requested by the client.
ClientRequestUserAgent network.http.user_agent User agent of the client request. Also parsed and mapped to network.http.parsed_user_agent.
ClientSSLCipher network.tls.cipher SSL cipher used by the client.
ClientSSLProtocol network.tls.version SSL protocol used by the client.
ClientSrcPort principal.port Client's source port.
ClientTCPHandshakeDurationMs additional.fields.value.string_value where key is ClientTCPHandshakeDurationMs Duration of the client TCP handshake.
ClientTLSHandshakeDurationMs additional.fields.value.string_value where key is ClientTLSHandshakeDurationMs Duration of the client TLS handshake.
ClientTLSVersion network.tls.version TLS version used by the client.
ColoID (Not mapped) Not mapped to the IDM object.
Connection target.resource.attribute.labels.value where key is Connection Connection type (e.g., saml).
ConnectionCloseReason additional.fields.value.string_value where key is ConnectionCloseReason Reason for connection closure.
ConnectionReuse additional.fields.value.string_value where key is ConnectionReuse Whether connection reuse occurred.
Country target.location.country_or_region Country associated with the event.
CreatedAt metadata.event_timestamp Timestamp of event creation.
Datetime metadata.event_timestamp Date and time of the event.
DestinationIP target.ip, target.asset.ip Destination IP address.
DestinationPort target.port Destination port.
DestinationTunnelID additional.fields.value.string_value where key is DestinationTunnelID ID of the destination tunnel.
DeviceID principal.asset_id (prefixed with "Cloudflare:") ID of the device.
DeviceName principal.hostname, principal.asset.hostname, principal.asset.attribute.labels.value where key is DeviceName Name of the device.
DownloadedFileNames security_result.about.labels.value where key is DownloadFileNames Names of downloaded files.
DstIP target.ip, target.asset.ip Destination IP address.
DstPort target.port Destination port.
EdgeColoCode additional.fields.value.string_value where key is EdgeColoCode Cloudflare edge location code.
EdgeColoID additional.fields.value.string_value where key is EdgeColoID Cloudflare edge location ID.
EdgeEndTimestamp (Not mapped) Not mapped to the IDM object.
EdgeResponseBytes network.received_bytes Number of bytes in the response from the edge.
EdgeResponseContentType target.file.mime_type Content type of the edge response.
EdgeResponseStatus network.http.response_code Status code of the edge response.
EdgeServerIP target.ip, target.asset.ip IP address of the edge server.
EdgeStartTimestamp metadata.event_timestamp Timestamp of the start of the request at the edge.
Email principal.user.email_addresses, target.user.email_addresses Email address associated with the event.
EgressColoName additional.fields.value.string_value where key is EgressColoName Name of the egress colo.
EgressIP principal.ip, principal.asset.ip Egress IP address. Sets network.direction to OUTBOUND.
EgressPort principal.port Egress port.
EgressRuleID additional.fields.value.string_value where key is EgressRuleID ID of the egress rule.
EgressRuleName additional.fields.value.string_value where key is EgressRuleName Name of the egress rule.
FindingTypeDisplayName security_result.description Display name of the finding type.
FindingTypeID security_result.rule_id ID of the finding type.
FindingTypeSeverity security_result.severity Severity of the finding type.
FirewallMatchesActions security_result.action Actions taken by firewall rules. allow, Allow, ALLOW, skip, SKIP, Skip map to ALLOW. challengeSolved and jschallengeSolved map to ALLOW_WITH_MODIFICATION. drop and block map to BLOCK. Other values map to UNKNOWN_ACTION.
FirewallMatchesRuleIDs security_result.rule_id (for the first ID), subsequent IDs create new security_result objects. IDs of the firewall rules that matched.
FirewallMatchesSources security_result.rule_name Sources of the firewall rules that matched.
HTTPHost target.hostname HTTP host.
HTTPMethod network.http.method HTTP method.
HTTPVersion network.application_protocol If the value contains "HTTP", sets network.application_protocol to HTTP.
ID metadata.product_log_id ID of the event.
IngressColoName additional.fields.value.string_value where key is IngressColoName Name of the ingress colo.
InstanceID principal.resource.product_object_id ID of the instance.
IntegrationDisplayName additional.fields.value.string_value where key is IntegrationDisplayName Display name of the integration.
IntegrationID metadata.product_deployment_id ID of the integration.
IntegrationPolicyVendor additional.fields.value.string_value where key is IntegrationPolicyVendor Vendor of the integration policy.
IPAddress target.ip, target.asset.ip IP address associated with the event.
IsIsolated about.labels.value where key is IsIsolated, security_result.about.resource.attribute.labels.value where key is IsIsolated Whether the event is isolated.
Location principal.location.name Location associated with the event.
NewValue security_result.about.labels.value where key is NewValue New value after an update.
Offramp additional.fields.value.string_value where key is Offramp Offramp used in the connection.
OldValue security_result.about.labels.value where key is OldValue Old value before an update.
OriginIP intermediary.ip, target.ip, target.asset.ip Origin IP address.
OriginPort target.port Origin port.
OriginResponseBytes additional.fields.value.string_value where key is OriginResponseBytes Number of bytes in the origin response.
OriginResponseStatus additional.fields.value.string_value where key is OriginResponseStatus Status code of the origin response.
OriginResponseTime additional.fields.value.string_value where key is OriginResponseTime Response time of the origin.
OriginSSLProtocol (Not mapped) Not mapped to the IDM object.
OriginTLSCertificateIssuer additional.fields.value.string_value where key is OriginTLSCertificateIssuer Issuer of the origin TLS certificate.
OriginTLSCertificateValidationResult additional.fields.value.string_value where key is OriginTLSCertificateValidationResult Result of the origin TLS certificate validation.
OriginTLSCipher additional.fields.value.string_value where key is OriginTLSCipher Cipher used in the origin TLS connection.
OriginTLSHandshakeDurationMs additional.fields.value.string_value where key is OriginTLSHandshakeDurationMs Duration of the origin TLS handshake.
OriginTLSVersion additional.fields.value.string_value where key is OriginTLSVersion TLS version used by the origin.
OwnerID target.user.product_object_id ID of the owner.
Policy security_result.rule_name Policy associated with the event.
PolicyID security_result.rule_id ID of the policy.
PolicyName security_result.rule_name Name of the policy.
Protocol network.application_protocol, network.ip_protocol Protocol used in the connection. If not "tls" or "TLS", converted to uppercase and mapped to network.application_protocol. Otherwise, parsed using an include file and mapped to network.ip_protocol.
PurposeJustificationPrompt (Not mapped) Not mapped to the IDM object.
PurposeJustificationResponse (Not mapped) Not mapped to the IDM object.
QueryCategoryIDs security_result.about.labels.value, security_result.about.resource.attribute.labels.value where key is QueryCategoryIDs IDs of query categories.
QueryName network.dns.questions.name Name of the DNS query. Sets metadata.event_type to NETWORK_DNS and network.application_protocol to DNS.
QueryNameReversed network.dns.questions.name Reversed name of the DNS query.
QuerySize network.sent_bytes Size of the query.
QueryType network.dns.questions.type Type of the DNS query. Mapped to numeric values based on DNS query type codes.
RData network.dns.answers.type, network.dns.answers.data DNS record data. Each element in the RData array creates a new answer object.
RayID metadata.product_log_id Ray ID associated with the request.
Referer network.http.referral_url Referrer URL.
RequestID metadata.product_log_id ID of the request.
ResolverDecision security_result.summary Decision made by the resolver.
ResourceID target.resource.id, target.resource.product_object_id ID of the resource.
ResourceType target.resource.resource_subtype Type of the resource.
RuleEvaluationDurationMs additional.fields.value.string_value where key is RuleEvaluationDurationMs Duration of rule evaluation.
SNI network.tls.client.server_name Server Name Indication (SNI) in TLS client hello.
SecurityAction security_result.action Security action taken. Empty value or no SecurityAction maps to ALLOW. challengeSolved or jschallengeSolved maps to ALLOW_WITH_MODIFICATION. drop or block maps to BLOCK.
SecurityLevel security_result.severity Security level. high maps to HIGH, med to MEDIUM, low to LOW.
SessionEndTime additional.fields.value.string_value where key is SessionEndTime End time of the session.
SessionID network.session_id ID of the session.
SessionStartTime metadata.event_timestamp Start time of the session.
SourceIP principal.ip, principal.asset.ip, src.ip, src.asset.ip Source IP address.
SourcePort principal.port, src.port Source port.
SrcIP principal.ip, principal.asset.ip Source IP address.
SrcPort principal.port Source port.
TemporaryAccessDuration network.session_duration.seconds Duration of temporary access.
Timestamp metadata.event_timestamp Timestamp of the event.
Transport network.ip_protocol Transport protocol. Converted to uppercase and parsed using an include file.
UploadedFileNames security_result.about.labels.value where key is UploadedFileNames Names of uploaded files.
URL target.url URL involved in the event.
UserAgent network.http.user_agent User agent string. Also parsed and mapped to network.http.parsed_user_agent.
UserID principal.user.product_object_id, event.idm.read_only_udm.target.user.product_object_id ID of the user.
UserUID target.user.product_object_id UID of the user.
VirtualNetworkID principal.resource.product_object_id ID of the virtual network.
WAFAction security_result.about.labels.value where key is WAFAction Action taken by the Web Application Firewall (WAF).
WAFAttackScore security_result.about.resource.attribute.labels.value where key is WAFAttackScore Attack score assigned by the WAF.
WAFFlags security_result.about.resource.attribute.labels.value where key is WAFFlags WAF flags.
WAFMatchedVar (Not mapped) Not mapped to the IDM object.
WAFProfile security_result.about.labels.value where key is WAFProfile WAF profile.
WAFRCEAttackScore security_result.about.resource.attribute.labels.value where key is WAFRCEAttackScore WAF Remote Code Execution (RCE) attack score.
WAFRuleID security_result.threat_id, security_result.about.labels.value where key is WAFRuleID ID of the WAF rule.
WAFRuleMessage security_result.rule_name, security_result.threat_name Message associated with the WAF rule.
WAFSQLiAttackScore security_result.about.resource.attribute.labels.value where key is WAFSQLiAttackScore WAF SQL Injection attack score.
WAFXSSAttackScore security_result.about.resource.attribute.labels.value where key is WAFXSSAttackScore WAF Cross-Site Scripting (XSS) attack score.
ZoneID additional.fields.value.string_value where key is ZoneID Zone ID.
event.idm.read_only_udm.metadata.event_type metadata.event_type Type of the event. Set by the parser based on the log data. Defaults to GENERIC_EVENT if not set or if a NETWORK_DNS event has no principal or target. Can be NETWORK_DNS, NETWORK_CONNECTION, USER_LOGIN, USER_LOGOUT, USER_RESOURCE_ACCESS, USER_RESOURCE_UPDATE_CONTENT, or GENERIC_EVENT.
event.idm.read_only_udm.metadata.log_type metadata.log_type Log type, set to "CLOUDFLARE".
event.idm.read_only_udm.metadata.product_deployment_id metadata.product_deployment_id Product deployment ID.
event.idm.read_only_udm.metadata.product_log_id metadata.product_log_id Product log ID.
event.idm.read_only_udm.metadata.product_name metadata.product_name Product name. Set by the parser based on the log data. Can be "Cloudflare Gateway DNS", "Cloudflare Gateway HTTP", "Cloudflare Audit", "Web Application Firewall".
event.idm.read_only_udm.metadata.vendor_name metadata.vendor_name Vendor name, set to "Cloudflare".
event.idm.read_only_udm.metadata.event_timestamp metadata.event_timestamp Timestamp of the event.
event.idm.read_only_udm.network.application_protocol network.application_protocol Application protocol used in the network connection.
event.idm.read_only_udm.network.direction network.direction Direction of the network connection. Set to OUTBOUND when EgressIP and SourceIP are present.
event.idm.read_only_udm.network.dns.answers network.dns.answers DNS answers.
event.idm.read_only_udm.network.dns.questions network.dns.questions DNS questions.
event.idm.read_only_udm.network.http.method network.http.method HTTP method.
event.idm.read_only_udm.network.http.parsed_user_agent network.http.parsed_user_agent Parsed user agent.
event.idm.read_only_udm.network.http.referral_url network.http.referral_url HTTP referral URL.
event.idm.read_only_udm.network.http.response_code network.http.response_code HTTP response code.
event.idm.read_only_udm.network.http.user_agent network.http.user_agent HTTP user agent.
event.idm.read_only_udm.network.ip_protocol network.ip_protocol IP protocol.
event.idm.read_only_udm.network.received_bytes network.received_bytes Number of bytes received.
event.idm.read_only_udm.network.sent_bytes network.sent_bytes Number of bytes sent.
event.idm.read_only_udm.network.session_duration.seconds network.session_duration.seconds Duration of the network session in seconds.
event.idm.read_only_udm.network.session_id network.session_id Network session ID.
event.idm.read_only_udm.network.tls.cipher network.tls.cipher TLS cipher suite.
event.idm.read_only_udm.network.tls.client.server_name network.tls.client.server_name TLS client server name.
event.idm.read_only_udm.network.tls.version network.tls.version TLS version.
event.idm.read_only_udm.principal.asset.attribute.labels principal.asset.attribute.labels Labels associated with the principal asset.
event.idm.read_only_udm.principal.asset.hostname principal.asset.hostname Hostname of the principal asset.
event.idm.read_only_udm.principal.asset.ip principal.asset.ip IP address of the principal asset.
event.idm.read_only_udm.principal.asset_id principal.asset_id ID of the principal asset.
event.idm.read_only_udm.principal.hostname principal.hostname Hostname of the principal.
event.idm.read_only_udm.principal.ip principal.ip IP address of the principal.
event.idm.read_only_udm.principal.location.country_or_region principal.location.country_or_region Country or region of the principal's location.
event.idm.read_only_udm.principal.location.name principal.location.name Name of the principal's location.
event.idm.read_only_udm.principal.port principal.port Port used by the principal.
event.idm.read_only_udm.principal.resource.product_object_id principal.resource.product_object_id Product object ID of the principal's resource.
event.idm.read_only_udm.principal.url principal.url URL associated with the principal.
event.idm.read_only_udm.principal.user.attribute.labels principal.user.attribute.labels Labels associated with the principal user.
event.idm.read_only_udm.principal.user.email_addresses principal.user.email_addresses Email addresses of the principal user.
event.idm.read_only_udm.principal.user.first_name principal.user.first_name First name of the principal user.
event.idm.read_only_udm.principal.user.last_name principal.user.last_name Last name of the principal user.
event.idm.read_only_udm.principal.user.product_object_id principal.user.product_object_id Product object ID of the principal user.
event.idm.read_only_udm.principal.user.userid principal.user.userid User ID of the principal user.
event.idm.read_only_udm.principal.user.user_display_name principal.user.user_display_name Display name of the principal user.
event.idm.read_only_udm.src.asset.ip src.asset.ip IP address of the source asset.
event.idm.read_only_udm.src.ip src.ip IP address of the source.
event.idm.read_only_udm.src.port src.port Port of the source.
event.idm.read_only_udm.target.administrative_domain target.administrative_domain Administrative domain of the target.
event.idm.read_only_udm.target.asset.hostname target.asset.hostname Hostname of the target asset.
event.idm.read_only_udm.target.asset.ip target.asset.ip IP address of the target asset.
event.idm.read_only_udm.target.file.mime_type target.file.mime_type MIME type of the target file.
event.idm.read_only_udm.target.file.md5 target.file.md5 MD5 hash of the target file.
event.idm.read_only_udm.target.file.sha1 target.file.sha1 SHA1 hash of the target file.
event.idm.read_only_udm.target.file.sha256 target.file.sha256 SHA256 hash of the target file.
event.idm.read_only_udm.target.file.size target.file.size Size of the target file.
event.idm.read_only_udm.target.hostname target.hostname Hostname of the target.
event.idm.read_only_udm.target.ip target.ip IP address of the target.
event.idm.read_only_udm.target.location.country_or_region target.location.country_or_region Country or region of the target's location.
event.idm.read_only_udm.target.port target.port Port of the target.
event.idm.read_only_udm.target.resource.attribute.labels target.resource.attribute.labels Labels associated with the target resource.
event.idm.read_only_udm.target.resource.id target.resource.id ID of the target resource.
event.idm.read_only_udm.target.resource.product_object_id target.resource.product_object_id Product object ID of the target resource.
event.idm.read_only_udm.target.resource.resource_subtype target.resource.resource_subtype Resource subtype of the target resource.
event.idm.read_only_udm.target.url target.url URL of the target.
event.idm.read_only_udm.target.user.email_addresses target.user.email_addresses Email addresses of the target user.
event.idm.read_only_udm.target.user.product_object_id target.user.product_object_id Product object ID of the target user.
event.idm.read_only_udm.security_result.about.file.full_path security_result.about.file.full_path Full path of the file involved in the security result.
event.idm.read_only_udm.security_result.about.labels security_result.about.labels Labels associated with the security result.
event.idm.read_only_udm.security_result.about.resource.attribute.labels security_result.about.resource.attribute.labels Labels associated with the resource in the security result.
event.idm.read_only_udm.security_result.action security_result.action Action taken in the security result.
event.idm.read_only_udm.security_result.detection_fields security_result.detection_fields Detection fields in the security result.
event.idm.read_only_udm.security_result.description security_result.description Description of the security result.
event.idm.read_only_udm.security_result.rule_id security_result.rule_id Rule ID of the security result.
event.idm.read_only_udm.security_result.rule_name security_result.rule_name Rule name of the security result.
event.idm.read_only_udm.security_result.severity security_result.severity Severity of the security result.
event.idm.read_only_udm.security_result.summary security_result.summary Summary of the security result.
event.idm.read_only_udm.security_result.threat_id security_result.threat_id Threat ID of the security result.
event.idm.read_only_udm.security_result.threat_name security_result.threat_name Threat name of the security result.
event.idm.read_only_udm.extensions.auth.type extensions.auth.type Authentication type. Set to MACHINE for login and logout events.
event.idm.read_only_udm.about about About information.
event.idm.read_only_udm.additional.fields additional.fields Additional fields.
event.idm.read_only_udm.intermediary intermediary Intermediary information.

Changes

2024-02-19

  • Bug-Fix:
  • When there is no principal and target machine data, then mapped "metadata.event_type" to "GENERIC_EVENT".
  • When "Datetime" field is missing and "Timestamp" field is present, then mapped "Timestamp" to "metadata.event_timestamp".
  • Mapped "ClientIP" to "principal.ip".
  • Mapped "RayID" to "metadata.product_log_id".
  • Mapped "EdgeResponseStatus" to "network.http.response_code".
  • Mapped "ClientRequestMethod" to "network.http.method".
  • Mapped "ClientRequestURI" to "target.uri".
  • Mapped "ClientRequestHost" to "target.hostname".

2024-01-31

  • Mapped "BotScore" to "security_result.detection_fields".
  • Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings.
  • Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings.

2024-01-08

  • When "Action" contains "allow", then set "security_result.action" to "ALLOW".
  • Added mapping of "DeviceName" to "principal.hostname", "principal.asset.hostname".
  • Added mapping of "SourceIP" to "principal.ip" for DNS logs.
  • Added a null conditional check before mapping "principal" to "event.idm.read_only_udm.principal".
  • Added a null conditional check before mapping "target" to "event.idm.read_only_udm.target".

2023-11-22

  • Mapped "WAFRuleID" to "security_result.threat_id".
  • Mapped "WAFRuleMessage" to "security_result.threat_name".
  • Mapped "WAFRCEAttackScore", "WAFSQLiAttackScore", "WAFXSSAttackScore", "WAFAttackScore", "WAFFlags" to "security_result.about.resource.attribute.labels".

2023-10-09

  • When "SecurityAction" value is null or not present, then set "security_result.action" to "ALLOW".

2023-09-26

  • Modified mappings from using deprecated UDM fields to alternative fields.
  • Added mapping from "security_result.about.labels" to "security_result.about.resource.attribute.labels".
  • Added mapping from "about.labels" to "security_result.about.resource.attribute.labels".
  • Added mapping from "target.resource.id" to "target.resource.product_object_id".

2023-04-25

  • Enhancement to map the following raw log fields to UDM fields:
  • Initialized "EdgeStartTimestamp", "ClientIP", "ClientRequestHost", "ClientRequestURI", "ClientRequestMethod", "Datetime", "ActorEmail", and "ActorIP" to null.
  • Mapped "AssetExternalID" to "principal.asset_id".
  • Mapped "AssetDisplayName" to "principal.asset.attribute.labels".
  • Mapped "AssetLink" to "principal.url".
  • Mapped "AssetMetadata.userKey" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.clientId" to "principal.user.userid".
  • Mapped "AssetMetadata.anonymous" to "security_result.detection_fields".
  • Mapped "AssetMetadata.nativeApp" to "security_result.detection_fields".
  • Mapped "DetectedTimestamp" to "metadata.event_timestamp".
  • Mapped "FindingTypeDisplayName" to "security_result.description".
  • Mapped "FindingTypeID" to "security_result.rule_id".
  • Mapped "FindingTypeSeverity" to "security_result.severity".
  • Mapped "InstanceID" to "principal.resource.product_object_id".
  • Mapped "IntegrationDisplayName" to "additional.fields".
  • Mapped "IntegrationID" to "metadata.product_deployment_id".
  • Mapped "IntegrationPolicyVendor" to "additional.fields".
  • Mapped "AssetMetadata.customerId" to "principal.user.userid".
  • Mapped "AssetMetadata.primaryEmail" to "principal.user.email_addresses".
  • Mapped "AssetMetadata.agreedToTerms" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.ipWhitelisted" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.lastLoginTime" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.isEnforcedIn2Sv" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.isEnrolledIn2Sv" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.isDelegatedAdmin" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.changePasswordAtNextLogin" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.includeInGlobalAddressList" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.isAdmin" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.suspended" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.url" to "principal.url".
  • Mapped "AssetMetadata.site_admin" to "principal.user.attribute.labels".
  • Mapped "AssetMetadata.login" to "principal.user.userid".
  • Mapped "AssetMetadata.owner.id" to "principal.user.userid".
  • Mapped "AssetMetadata.name.fullName" to "principal.user.user_display_name".
  • Mapped "AssetMetadata.name.givenName" to "principal.user.first_name".
  • Mapped "AssetMetadata.name.familyName" to "principal.user.last_name".
  • Mapped "Allowed" to "security_result.action".
  • Mapped "AppDomain" to "target.administrative_domain".
  • Mapped "AppUUID" to "target.resource.product_object_id".
  • Mapped "Connection" to "target.resource.attribute.labels".
  • Mapped "Country" to "target.location.country_or_region".
  • Mapped "CreatedAt" to "metadata.event_timestamp".
  • Mapped "IPAddress" to "target.ip".
  • Mapped "RayID" to "metadata.product_log_id".
  • Mapped "Email" to "principal.user.email_addresses" and "target.user.email_addresses".
  • Mapped "TemporaryAccessDuration" to "network.session_duration.seconds".
  • Mapped "UserUID" to "target.user.product_object_id".
  • Mapped "UserAgent" to "network.http.parsed_user_agent".
  • Mapped "ClientRequestUserAgent" to "network.http.parsed_user_agent".
  • Mapped "PolicyName" to "security_result.rule_name".
  • Mapped "SessionID" to "network.session_id".
  • Mapped "Transport" to "network.ip_protocol".
  • Mapped "SNI" to "tls.client.server_name".
  • Mapped "DeviceName" to "principal.asset.attribute.labels".
  • Mapped "BytesReceived" to "network.received_bytes".
  • Mapped "BytesSent" to "network.sent_bytes".
  • Mapped "Protocol" to "network.ip_protocol".
  • Mapped "ClientTCPHandshakeDurationMs" to "additional.fields".
  • Mapped "ClientTLSCipher" to "network.tls.cipher".
  • Mapped "ClientTLSHandshakeDurationMs" to "additional.fields".
  • Mapped "ClientTLSVersion" to "network.tls.version".
  • Mapped "ConnectionCloseReason" to "additional.fields".
  • Mapped "ConnectionReuse" to "additional.fields".
  • Mapped "DestinationTunnelID" to "additional.fields".
  • Mapped "EgressIP" to "principal.ip".
  • Mapped "EgressPort" to "principal.port".
  • Mapped "EgressRuleID" to "additional.fields".
  • Mapped "EgressRuleName" to "additional.fields".
  • Mapped "IngressColoName" to "additional.fields".
  • Mapped "Offramp" to "additional.fields".
  • Mapped "OriginIP" to "target.ip".
  • Mapped "OriginPort" to "target.port".
  • Mapped "OriginTLSCertificateIssuer" to "additional.fields".
  • Mapped "OriginTLSCertificateValidationResult" to "additional.fields".
  • Mapped "OriginTLSCipher" to "additional.fields".
  • Mapped "OriginTLSHandshakeDurationMs" to "additional.fields".
  • Mapped "OriginTLSVersion" to "additional.fields".
  • Mapped "RuleEvaluationDurationMs" to "additional.fields".
  • Mapped "SessionEndTime" to "additional.fields".
  • Mapped "SessionStartTime" to "metadata.event_timestamp".
  • Mapped "SourceIP" to "src.ip".
  • Mapped "SourcePort" to "src.port".
  • Mapped "UserID" to "principal.user.product_object_id".
  • Mapped "VirtualNetworkID" to "principal.resource.product_object_id".

2023-04-06

  • Enhancement - Declared the fields "WAFRuleMessage", "WAFAction", "QueryType", "RayID", "Email" at global level.
  • Mapped "metadata.event_type" as "NETWORK_UNCATEGORIZED" where the field "QueryName" and "QueryNameReversed" are null.
  • Added on error checks for the following fields: RData[n].type, RData[n].data, EdgeResponseBytes, ClientRequestBytes, EdgeResponseStatus.
  • Added string conversion for the fields "SourcePort" and "DestinationPort".

2022-10-10

  • Enhancement
  • Mapped "metadata.product_name" to "Web Application Firewall".
  • Mapped "metadata.vendor_name" to "Cloudflare".

2022-05-23

  • Enhancement to map following raw logs elements to UDM elements:
  • Mapped 'ClientASN' to 'network.asn'.
  • Mapped 'ClientSSLCipher' to 'network.tls.cipher'.
  • Mapped 'ClientSSLProtocol' to 'network.tls.version'.
  • Mapped 'EdgeResponseContentType' to 'target.file.mime_type'.
  • Mapped 'OriginIP' to 'intermediary.ip'.
  • Mapped 'FirewallMatchesActions' to 'security_result.action'.
  • Mapped 'FirewallMatchesRuleIDs' to 'security_result.rule_id'.
  • Mapped 'FirewallMatchesSources' to 'security_result.rule_name'.
  • Mapped 'WAFRuleID', 'WAFProfile' to 'security_result.about.labels'.
  • Mapped 'CacheCacheStatus', 'CacheResponseBytes', 'CacheResponseStatus', 'ClientDeviceType', 'EdgeColoCode', 'EdgeColoID', 'OriginResponseBytes', 'OriginResponseStatus', 'OriginResponseTime', 'ZoneID' to 'additional.fields'.