Change log for CLOUDFLARE_WAF
| Date | Changes |
|---|---|
| 2025-08-21 | Enhancement:
- event.idm.read_only_udm.network.http.response_code: Removed mapping of `EdgeResponseStatus` with `event.idm.read_only_udm.network.http.response_code` UDM field in order to introduce a more accurate mapping for the raw log field.. - event.idm.read_only_udm.network.http.response_code: Newly mapped `OriginResponseStatus` raw log field to `event.idm.read_only_udm.network.http.response_code` UDM field. - event.idm.read_only_udm.principal.location.city: Newly mapped `ClientCity` raw log field to event.idm.read_only_udm.principal.location.city UDM field. - event.idm.read_only_udm.network.tls.client.ja3: Newly mapped `JA3Hash` raw log field to event.idm.read_only_udm.network.tls.client.ja3 UDM field. - event.idm.read_only_udm.additional.fields: Newly mapped `EdgeResponseStatus`, `BotScore`, `JA4`, `ClientRequestReferer`, `RequestHeaders.x-client-id` raw log fields with `event.idm.read_only_udm.additional.fields` UDM field. - event.idm.read_only_udm.security_result.action: Setting `event.idm.read_only_udm.security_result.action` to `BLOCK` when `SecurityAction` raw log field is `BLOCK` else if `SecurityAction` raw log field is `ALLOW` then `event.idm.read_only_udm.security_result.action` is set to `ALLOW`. - event.idm.read_only_udm.metadata.event_timestamp: Newly mapped `EdgeStartTimestamp` raw log field to `event.idm.read_only_udm.metadata.event_timestamp` UDM field. |
| 2025-01-31 | Enhancement:
- Mapped "SecurityRuleID" to "security_result.threat_id". - Mapped "SecurityRuleDescription" to "security_result.threat_name". - Mapped "SecurityRuleDescription" to "security_result.action_details". |
| 2024-08-08 | Enhancement:
- Extracted data from "ClientRequestHost" and "ClientRequestURI", merged it and mapped the result to "target.url". |
| 2023-08-30 | - Initialized field "ClientRequestPath".
|
| 2023-02-02 | - Validated the 'security_result' value before its getting merged to event.
|
| 2022-09-16 | - Mapped the field 'Action' to 'security_result.action_details'.
- Mapped 'security_result.action' to 'ALLOW_WITH_MODIFICATION' when action contains "challengeSolved", "jschallengeSolved", "managedchallengenoninteractivesolved", "managedchallengeinteractivesolved". - Mapped 'security_result.action' to 'BLOCK' when action contains "drop", "block", "connectionclose". - Mapped 'security_result.action' to 'FAIL' when action contains "challengefailed", "jschallengefailed". |
| 2022-07-25 |