Change log for CLOUDFLARE
| Date | Changes |
|---|---|
| 2025-06-09 | Enhancement:
- event.idm.read_only_udm.security_result.action_details : Newly Mapped `Action` raw log field with `event.idm.read_only_udm.security_result.action_details`. - Added conditional check before mapping to event.idm.read_only_udm.security_result.action. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientRequestScheme` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientASN` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Ref` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `Source` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `EdgeColoCode` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientASNDescription` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.additional.fields: Newly Mapped `ClientIPClass` raw log field with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.src.hostname: Newly Mapped `ClientRequestHost` raw log field with `event.idm.read_only_udm.src.hostname` UDM field. - event.idm.read_only_udm.src.file.full_path: Newly Mapped `ClientRequestPath` raw log field with `event.idm.read_only_udm.src.file.full_path` UDM field. - event.idm.read_only_udm.network.http.user_agent: Newly Mapped `ClientUserAgent` raw log field with `event.idm.read_only_udm.network.http.user_agent` UDM field. - event.idm.read_only_udm.security_result.description: Newly Mapped `Description` raw log field with `event.idm.read_only_udm.security_result.description` UDM field. - event.idm.read_only_udm.principal.application: Newly Mapped `Kind` raw log field with `event.idm.read_only_udm.principal.application` UDM field. - event.idm.read_only_udm.network.session_id: Newly Mapped `RayID` raw log field with `event.idm.read_only_udm.network.session_id` UDM field. - event.idm.read_only_udm.network.application_protocol: Newly Mapped `client_request_proto` raw log field with `event.idm.read_only_udm.network.application_protocol` UDM field. - event.idm.read_only_udm.network.application_protocol_version: Newly Mapped `version` raw log field with `event.idm.read_only_udm.network.application_protocol_version` UDM field. |
| 2025-03-20 | Enhancement:
- Added a null check before mapping "UserID" to "principal.user.product_object_id". - Added a regex expression check before mapping "QueryName" to "questions.name". - Added a condition check to set "metadata.event_type" to "STATUS_UPDATE". |
| 2025-03-03 | Enhancement:
- Mapped "log.Application", "log.ClientAsn", "log.ColoCode", "log.OriginProto", "log.Status" and "log.ProxyProtocol" to "additional.fields". - Mapped "log.ClientBytes" to "network.sent_bytes". - Mapped "log.ClientCountry" to "principal.location.country_or_region". - Mapped "log.ClientIP" to "principal.ip and principal.asset.ip". - Mapped "log.ClientMatchedIpFirewall" to "security_result.detection_fields". - Mapped "log.ClientPort" to "principal.port". - Mapped "log.ClientProto" to "network.ip_protocol". - Mapped "log.Event" to "security_result.detection_fields". - Mapped "log.OriginBytes" to "security_result.detection_fields". - Mapped "log.OriginIP" to "intermediary.ip". - Mapped "log.OriginPort" to "intermediary.port". - Mapped "log.IpFirewall" to "security_result.detection_fields". - Mapped "log.Timestamp" to "metadata.event_timestamp". - Mapped "log.ConnectTimestamp" to "security_result.detection_fields". - Mapped "log.DisconnectTimestamp" to "security_result.detection_fields". |
| 2025-01-15 | Enhancement:
- Mapped "AppDomain" to "target.administrative_domain". - Mapped "AppUUID" to "target.resource.product_object_id". - Mapped "UserUID" to "target.user.product_object_id". - Mapped "CreatedAt" to "metadata.event_timestamp". - Mapped "Connection" to "target.resource.attribute.labels". - Mapped "Country" to "target.location.country_or_region". - Mapped "IPAddress" to "target.ip" and "target.asset.ip". - Mapped "TemporaryAccessDuration" to "network.session_duration.seconds". - If only "target" is present and "event_type_value" is "NETWORK_CONNECTION", then mapped "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2024-11-05 | Enhancement:
- Added support for a new pattern of JSON logs. |
| 2024-11-04 | Enhancement:
- When "Action" contains "skip", "SKIP", or "Skip", then set "security_result.action" to "ALLOW". |
| 2024-10-29 | Enhancement:
- Added support for unparsed logs. - Mapped "IPSourceAddress" to "principal.ip", and "principal.asset.ip". - Mapped "IPDestinationAddress" to "target.ip", and "target.asset.ip". - Mapped "DestinationPort" to "target.port". - Mapped "SourcePort" to "principal.port". - Mapped "IPProtocol" to "network.ip_protocol". - Mapped "IPDestinationSubnet", "DestinationASNNAME", "DestinationASN", and "DestinationGeoHash" to "target.resource.attribute.labels". - Mapped "IPSourceSubnet", "SourceASNNAME", "SourceASN", and "SourceGeoHash" to "principal.resource.attribute.labels". - MApped "SourceCountry" to "principal.location.country_or_region". - Mapped "DestinationCountry" to "target.location.country_or_region". - Mapped "ColoCity", "ColoCode", "ColoCountry", "ColoGeoHash", "ColoName", "GREChecksum", "GREEtherType", "GREHeaderLength", "GREKey", "GRESequenceNumber", and "GREVersion" to "additional.fields". - Mapped "ICMPChecksum", "ICMPType", "ICMPCode", "IPProtocol", "ProtocolState", "IPTTL", "IPTTLBuckets", "IPTotalLength", "IPTotalLengthBuckets", "IPv4Checksum", "IPv4DSCP", "IPv4DontFragment", "IPv4ECN", "IPv4Identification", "IPv6DSCP", "IPv6ECN", "IPv6FlowLabel", and "IPv6Identification" to "additional.fields". - Mapped "MitigationScope", "MitigationSystem", "SampleInterval", "TCPAcknowledgementNumber", "TCPChecksum", "TCPDataOffset", "TCPFlags", "TCPFlagsString", "TCPMSS", "TCPSACKPermitted", "TCPSequenceNumber", "TCPTimestampECR", "TCPTimestampValue", "TCPUrgentPointer", "TCPWindowScale", "TCPWindowSize", "UDPChecksum", "UDPPayloadLength", and "Verdict" to "additional.fields". - When "Outcome" is "drop", then set "security_result.action" to "BLOCK". - When "Direction" is "ingress", then set "network.direction" to "INBOUND". - Mapped "AttackCampaignID", "AttackID", and "AttackVector" to "additional.fields". - Mapped "RuleID" to "security_result.rule_id". - Mapped "RuleName" to "security_result.rule_name". - Mapped "RulesetID" and "RulesetOverrideID" to "security_result_detection_fields". |
| 2024-10-24 | Bug-Fix:
- When "Action" contains "bypass", then set "security_result.action" to "ALLOW". - Mapped "ClientVersion" to "metadata.product_version". - Mapped "DeviceID" to "principal.asset_id". - Mapped "DeviceManufacturer" to "principal.asset.hardware". - Mapped "DeviceModel" to "principal.asset.hardware". - Mapped "DeviceName" to "principal.asset.attribute.labels". - Mapped "DeviceSerialNumber" to "principal.resource.attribute.labels". - Mapped "DeviceType" to "principal.resource.name". - Mapped "Email" to "principal.user.email_addresses"". - Mapped "OSVersion" to "principal.platform_version". - Mapped "PolicyID" to "security_result.rule_id". - Mapped "PostureCheckName" to "additional.fields". - Mapped "PostureCheckType" to "additional.fields". - Mapped "PostureEvaluatedResult" to "additional.fields". - Mapped "PostureExpectedJSON.os" to "security_result.detection_fields". - Mapped "PostureExpectedJSON.operator" to "security_result.detection_fields". - Mapped "PostureExpectedJSON.connection_id" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.os" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.overall" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.version" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.state" to "security_result.detection_fields". - Mapped "PostureReceivedJSON.last_seen" to "date". - If both "principal" and "event_type_value" are present, then mapped "metadata.event_type" to "USER_UNCATEGORIZED". |
| 2024-10-15 | Enhancement:
- Mapped "ClientRequestSource" to "additional.fields". |
| 2024-10-03 | Enhancement:
- Mapped "SecurityActions", "SecurityRuleIDs", and "SecuritySources" to "additional.fields". - Mapped "SecurityAction", "SecurityRuleID" to "security_result.about.resource.attribute.labels". - Mapped "SecurityRuleID" to "security_result.threat_id". - Mapped "SecurityRuleDescription" to "security_result.threat_name" and "security_result.rule_name". |
| 2024-02-19 | Bug-Fix:
- When there is no principal and target machine data, then mapped "metadata.event_type" to "GENERIC_EVENT". - When "Datetime" field is missing and "Timestamp" field is present, then mapped "Timestamp" to "metadata.event_timestamp". - Mapped "ClientIP" to "principal.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "EdgeResponseStatus" to "network.http.response_code". - Mapped "ClientRequestMethod" to "network.http.method". - Mapped "ClientRequestURI" to "target.uri". - Mapped "ClientRequestHost" to "target.hostname". |
| 2024-01-31 | Enhancement:
- Mapped "BotScore" to "security_result.detection_fields". - Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings. - Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings. |
| 2024-01-08 | Enhancement:
- When "Action" contains "allow", then set "security_result.action" to "ALLOW". - Added mapping of "DeviceName" to "principal.hostname", "principal.asset.hostname". - Added mapping of "SourceIP" to "principal.ip" for DNS logs. - Added a null conditional check before mapping "principal" to "event.idm.read_only_udm.principal". - Added a null conditional check before mapping "target" to "event.idm.read_only_udm.target". |
| 2023-11-22 | Enhancement:
- Mapped "WAFRuleID" to "security_result.threat_id". - Mapped "WAFRuleMessage" to "security_result.threat_name". - Mapped "WAFRCEAttackScore", "WAFSQLiAttackScore", "WAFXSSAttackScore", "WAFAttackScore", "WAFFlags" to "security_result.about.resource.attribute.labels". |
| 2023-10-09 | Enhancement:
- When "SecurityAction" value is null or not present, then set "security_result.action" to "ALLOW". |
| 2023-09-26 | Enhancement:
- Modified mappings from using deprecated UDM fields to alternative fields. - Added mapping from "security_result.about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "target.resource.id" to "target.resource.product_object_id". |
| 2023-04-25 | Enhancement to map the following raw log fields to UDM fields:
- Initialized "EdgeStartTimestamp", "ClientIP", "ClientRequestHost", "ClientRequestURI", "ClientRequestMethod", "Datetime", "ActorEmail", and "ActorIP" to null. - Mapped "AssetExternalID" to "principal.asset_id". - Mapped "AssetDisplayName" to "principal.asset.attribute.labels". - Mapped "AssetLink" to "principal.url". - Mapped "AssetMetadata.userKey" to "principal.user.attribute.labels". - Mapped "AssetMetadata.clientId" to "principal.user.userid". - Mapped "AssetMetadata.anonymous" to "security_result.detection_fields". - Mapped "AssetMetadata.nativeApp" to "security_result.detection_fields". - Mapped "DetectedTimestamp" to "metadata.event_timestamp". - Mapped "FindingTypeDisplayName" to "security_result.description". - Mapped "FindingTypeID" to "security_result.rule_id". - Mapped "FindingTypeSeverity" to "security_result.severity". - Mapped "InstanceID" to "principal.resource.product_object_id". - Mapped "IntegrationDisplayName" to "additional.fields". - Mapped "IntegrationID" to "metadata.product_deployment_id". - Mapped "IntegrationPolicyVendor" to "additional.fields". - Mapped "AssetMetadata.customerId" to "principal.user.userid". - Mapped "AssetMetadata.primaryEmail" to "principal.user.email_addresses". - Mapped "AssetMetadata.agreedToTerms" to "principal.user.attribute.labels". - Mapped "AssetMetadata.ipWhitelisted" to "principal.user.attribute.labels". - Mapped "AssetMetadata.lastLoginTime" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnforcedIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnrolledIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isDelegatedAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.changePasswordAtNextLogin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.includeInGlobalAddressList" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.suspended" to "principal.user.attribute.labels". - Mapped "AssetMetadata.url" to "principal.url". - Mapped "AssetMetadata.site_admin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.login" to "principal.user.userid". - Mapped "AssetMetadata.owner.id" to "principal.user.userid". - Mapped "AssetMetadata.name.fullName" to "principal.user.user_display_name". - Mapped "AssetMetadata.name.givenName" to "principal.user.first_name". - Mapped "AssetMetadata.name.familyName" to "principal.user.last_name". - Mapped "Allowed" to "security_result.action". - Mapped "AppDomain" to "target.administrative_domain". - Mapped "AppUUID" to "target.resource.product_object_id". - Mapped "Connection" to "target.resource.attribute.labels". - Mapped "Country" to "target.location.country_or_region". - Mapped "CreatedAt" to "metadata.event_timestamp". - Mapped "IPAddress" to "target.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "Email" to "principal.user.email_addresses" and "target.user.email_addresses". - Mapped "TemporaryAccessDuration" to "network.session_duration.seconds". - Mapped "UserUID" to "target.user.product_object_id". - Mapped "UserAgent" to "network.http.parsed_user_agent". - Mapped "ClientRequestUserAgent" to "network.http.parsed_user_agent". - Mapped "PolicyName" to "security_result.rule_name". - Mapped "SessionID" to "network.session_id". - Mapped "Transport" to "network.ip_protocol". - Mapped "SNI" to "tls.client.server_name". - Mapped "DeviceName" to "principal.asset.attribute.labels". - Mapped "BytesReceived" to "network.received_bytes". - Mapped "BytesSent" to "network.sent_bytes". - Mapped "Protocol" to "network.ip_protocol". - Mapped "ClientTCPHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSCipher" to "network.tls.cipher". - Mapped "ClientTLSHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSVersion" to "network.tls.version". - Mapped "ConnectionCloseReason" to "additional.fields". - Mapped "ConnectionReuse" to "additional.fields". - Mapped "DestinationTunnelID" to "additional.fields". - Mapped "EgressIP" to "principal.ip". - Mapped "EgressPort" to "principal.port". - Mapped "EgressRuleID" to "additional.fields". - Mapped "EgressRuleName" to "additional.fields". - Mapped "IngressColoName" to "additional.fields". - Mapped "Offramp" to "additional.fields". - Mapped "OriginIP" to "target.ip". - Mapped "OriginPort" to "target.port". - Mapped "OriginTLSCertificateIssuer" to "additional.fields". - Mapped "OriginTLSCertificateValidationResult" to "additional.fields". - Mapped "OriginTLSCipher" to "additional.fields". - Mapped "OriginTLSHandshakeDurationMs" to "additional.fields". - Mapped "OriginTLSVersion" to "additional.fields". - Mapped "RuleEvaluationDurationMs" to "additional.fields". - Mapped "SessionEndTime" to "additional.fields". - Mapped "SessionStartTime" to "metadata.event_timestamp". - Mapped "SourceIP" to "src.ip". - Mapped "SourcePort" to "src.port". - Mapped "UserID" to "principal.user.product_object_id". - Mapped "VirtualNetworkID" to "principal.resource.product_object_id". |
| 2023-04-06 | Enhancement - Declared the fields "WAFRuleMessage", "WAFAction", "QueryType", "RayID", "Email" at global level.
- Mapped "metadata.event_type" as "NETWORK_UNCATEGORIZED" where the field "QueryName" and "QueryNameReversed" are null. - Added on error checks for the following fields: RData[n].type, RData[n].data, EdgeResponseBytes, ClientRequestBytes, EdgeResponseStatus. - Added string conversion for the fields "SourcePort" and "DestinationPort". |
| 2022-10-10 | Enhancement
- Mapped "metadata.product_name" to "Web Application Firewall". - Mapped "metadata.vendor_name" to "Cloudflare". |
| 2022-05-23 | Enhancement to map following raw logs elements to UDM elements:
Mapped 'ClientASN' to 'network.asn'. Mapped 'ClientSSLCipher' to 'network.tls.cipher'. Mapped 'ClientSSLProtocol' to 'network.tls.version'. Mapped 'EdgeResponseContentType' to 'target.file.mime_type'. Mapped 'OriginIP' to 'intermediary.ip'. Mapped 'FirewallMatchesActions' to 'security_result.action'. Mapped 'FirewallMatchesRuleIDs' to 'security_result.rule_id'. Mapped 'FirewallMatchesSources' to 'security_result.rule_name'. Mapped 'WAFRuleID', 'WAFProfile' to 'security_result.about.labels'. Mapped 'CacheCacheStatus', 'CacheResponseBytes', 'CacheResponseStatus', 'ClientDeviceType', 'EdgeColoCode', 'EdgeColoID', 'OriginResponseBytes', 'OriginResponseStatus', 'OriginResponseTime', 'ZoneID' to 'additional.fields'. |