Change log for CLOUDFLARE
| Date | Changes |
|---|---|
| 2024-10-15 | Enhancement:
- Mapped "ClientRequestSource" to "additional.fields". |
| 2024-10-03 | Enhancement:
- Mapped "SecurityActions", "SecurityRuleIDs", and "SecuritySources" to "additional.fields". - Mapped "SecurityAction", "SecurityRuleID" to "security_result.about.resource.attribute.labels". - Mapped "SecurityRuleID" to "security_result.threat_id". - Mapped "SecurityRuleDescription" to "security_result.threat_name" and "security_result.rule_name". |
| 2024-02-19 | Bug-Fix:
- When there is no principal and target machine data, then mapped "metadata.event_type" to "GENERIC_EVENT". - When "Datetime" field is missing and "Timestamp" field is present, then mapped "Timestamp" to "metadata.event_timestamp". - Mapped "ClientIP" to "principal.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "EdgeResponseStatus" to "network.http.response_code". - Mapped "ClientRequestMethod" to "network.http.method". - Mapped "ClientRequestURI" to "target.uri". - Mapped "ClientRequestHost" to "target.hostname". |
| 2024-01-31 | Enhancement:
- Mapped "BotScore" to "security_result.detection_fields". - Aligned "principal.hostname", "target.hostname", "principal.asset.hostname", and "target.asset.hostname" mappings. - Aligned "principal.ip", "target.ip", "principal.asset.ip", and "target.asset.ip" mappings. |
| 2024-01-08 | Enhancement:
- When "Action" contains "allow", then set "security_result.action" to "ALLOW". - Added mapping of "DeviceName" to "principal.hostname", "principal.asset.hostname". - Added mapping of "SourceIP" to "principal.ip" for DNS logs. - Added a null conditional check before mapping "principal" to "event.idm.read_only_udm.principal". - Added a null conditional check before mapping "target" to "event.idm.read_only_udm.target". |
| 2023-11-22 | Enhancement:
- Mapped "WAFRuleID" to "security_result.threat_id". - Mapped "WAFRuleMessage" to "security_result.threat_name". - Mapped "WAFRCEAttackScore", "WAFSQLiAttackScore", "WAFXSSAttackScore", "WAFAttackScore", "WAFFlags" to "security_result.about.resource.attribute.labels". |
| 2023-10-09 | Enhancement:
- When "SecurityAction" value is null or not present, then set "security_result.action" to "ALLOW". |
| 2023-09-26 | Enhancement:
- Modified mappings from using deprecated UDM fields to alternative fields. - Added mapping from "security_result.about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "about.labels" to "security_result.about.resource.attribute.labels". - Added mapping from "target.resource.id" to "target.resource.product_object_id". |
| 2023-04-25 | Enhancement to map the following raw log fields to UDM fields:
- Initialized "EdgeStartTimestamp", "ClientIP", "ClientRequestHost", "ClientRequestURI", "ClientRequestMethod", "Datetime", "ActorEmail", and "ActorIP" to null. - Mapped "AssetExternalID" to "principal.asset_id". - Mapped "AssetDisplayName" to "principal.asset.attribute.labels". - Mapped "AssetLink" to "principal.url". - Mapped "AssetMetadata.userKey" to "principal.user.attribute.labels". - Mapped "AssetMetadata.clientId" to "principal.user.userid". - Mapped "AssetMetadata.anonymous" to "security_result.detection_fields". - Mapped "AssetMetadata.nativeApp" to "security_result.detection_fields". - Mapped "DetectedTimestamp" to "metadata.event_timestamp". - Mapped "FindingTypeDisplayName" to "security_result.description". - Mapped "FindingTypeID" to "security_result.rule_id". - Mapped "FindingTypeSeverity" to "security_result.severity". - Mapped "InstanceID" to "principal.resource.product_object_id". - Mapped "IntegrationDisplayName" to "additional.fields". - Mapped "IntegrationID" to "metadata.product_deployment_id". - Mapped "IntegrationPolicyVendor" to "additional.fields". - Mapped "AssetMetadata.customerId" to "principal.user.userid". - Mapped "AssetMetadata.primaryEmail" to "principal.user.email_addresses". - Mapped "AssetMetadata.agreedToTerms" to "principal.user.attribute.labels". - Mapped "AssetMetadata.ipWhitelisted" to "principal.user.attribute.labels". - Mapped "AssetMetadata.lastLoginTime" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnforcedIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isEnrolledIn2Sv" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isDelegatedAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.changePasswordAtNextLogin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.includeInGlobalAddressList" to "principal.user.attribute.labels". - Mapped "AssetMetadata.isAdmin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.suspended" to "principal.user.attribute.labels". - Mapped "AssetMetadata.url" to "principal.url". - Mapped "AssetMetadata.site_admin" to "principal.user.attribute.labels". - Mapped "AssetMetadata.login" to "principal.user.userid". - Mapped "AssetMetadata.owner.id" to "principal.user.userid". - Mapped "AssetMetadata.name.fullName" to "principal.user.user_display_name". - Mapped "AssetMetadata.name.givenName" to "principal.user.first_name". - Mapped "AssetMetadata.name.familyName" to "principal.user.last_name". - Mapped "Allowed" to "security_result.action". - Mapped "AppDomain" to "target.administrative_domain". - Mapped "AppUUID" to "target.resource.product_object_id". - Mapped "Connection" to "target.resource.attribute.labels". - Mapped "Country" to "target.location.country_or_region". - Mapped "CreatedAt" to "metadata.event_timestamp". - Mapped "IPAddress" to "target.ip". - Mapped "RayID" to "metadata.product_log_id". - Mapped "Email" to "principal.user.email_addresses" and "target.user.email_addresses". - Mapped "TemporaryAccessDuration" to "network.session_duration.seconds". - Mapped "UserUID" to "target.user.product_object_id". - Mapped "UserAgent" to "network.http.parsed_user_agent". - Mapped "ClientRequestUserAgent" to "network.http.parsed_user_agent". - Mapped "PolicyName" to "security_result.rule_name". - Mapped "SessionID" to "network.session_id". - Mapped "Transport" to "network.ip_protocol". - Mapped "SNI" to "tls.client.server_name". - Mapped "DeviceName" to "principal.asset.attribute.labels". - Mapped "BytesReceived" to "network.received_bytes". - Mapped "BytesSent" to "network.sent_bytes". - Mapped "Protocol" to "network.ip_protocol". - Mapped "ClientTCPHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSCipher" to "network.tls.cipher". - Mapped "ClientTLSHandshakeDurationMs" to "additional.fields". - Mapped "ClientTLSVersion" to "network.tls.version". - Mapped "ConnectionCloseReason" to "additional.fields". - Mapped "ConnectionReuse" to "additional.fields". - Mapped "DestinationTunnelID" to "additional.fields". - Mapped "EgressIP" to "principal.ip". - Mapped "EgressPort" to "principal.port". - Mapped "EgressRuleID" to "additional.fields". - Mapped "EgressRuleName" to "additional.fields". - Mapped "IngressColoName" to "additional.fields". - Mapped "Offramp" to "additional.fields". - Mapped "OriginIP" to "target.ip". - Mapped "OriginPort" to "target.port". - Mapped "OriginTLSCertificateIssuer" to "additional.fields". - Mapped "OriginTLSCertificateValidationResult" to "additional.fields". - Mapped "OriginTLSCipher" to "additional.fields". - Mapped "OriginTLSHandshakeDurationMs" to "additional.fields". - Mapped "OriginTLSVersion" to "additional.fields". - Mapped "RuleEvaluationDurationMs" to "additional.fields". - Mapped "SessionEndTime" to "additional.fields". - Mapped "SessionStartTime" to "metadata.event_timestamp". - Mapped "SourceIP" to "src.ip". - Mapped "SourcePort" to "src.port". - Mapped "UserID" to "principal.user.product_object_id". - Mapped "VirtualNetworkID" to "principal.resource.product_object_id". |
| 2023-04-06 | Enhancement - Declared the fields "WAFRuleMessage", "WAFAction", "QueryType", "RayID", "Email" at global level.
- Mapped "metadata.event_type" as "NETWORK_UNCATEGORIZED" where the field "QueryName" and "QueryNameReversed" are null. - Added on error checks for the following fields: RData[n].type, RData[n].data, EdgeResponseBytes, ClientRequestBytes, EdgeResponseStatus. - Added string conversion for the fields "SourcePort" and "DestinationPort". |
| 2022-10-10 | Enhancement
- Mapped "metadata.product_name" to "Web Application Firewall". - Mapped "metadata.vendor_name" to "Cloudflare". |
| 2022-05-23 | Enhancement to map following raw logs elements to UDM elements:
Mapped 'ClientASN' to 'network.asn'. Mapped 'ClientSSLCipher' to 'network.tls.cipher'. Mapped 'ClientSSLProtocol' to 'network.tls.version'. Mapped 'EdgeResponseContentType' to 'target.file.mime_type'. Mapped 'OriginIP' to 'intermediary.ip'. Mapped 'FirewallMatchesActions' to 'security_result.action'. Mapped 'FirewallMatchesRuleIDs' to 'security_result.rule_id'. Mapped 'FirewallMatchesSources' to 'security_result.rule_name'. Mapped 'WAFRuleID', 'WAFProfile' to 'security_result.about.labels'. Mapped 'CacheCacheStatus', 'CacheResponseBytes', 'CacheResponseStatus', 'ClientDeviceType', 'EdgeColoCode', 'EdgeColoID', 'OriginResponseBytes', 'OriginResponseStatus', 'OriginResponseTime', 'ZoneID' to 'additional.fields'. |