Panther supports ingesting Cloudflare logs via Cloudflare's Logpush service, which streams logs directly to Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), or Azure Blob Storage.
Note that Cloudflare's Logpush is available to Cloudflare Enterprise customers only. While some Cloudflare log types on this page (e.g., Audit logs) may be pulled without Logpush, Panther's supported schemas rely on the data structure when delivered by Logpush.
How to onboard Cloudflare logs to Panther
You can ingest Cloudflare logs into Panther by streaming them to an S3 bucket, GCS bucket, or Azure Blob source.
Prerequisite
Create a new S3 bucket in your AWS account.
We recommend creating a new S3 bucket specifically for Cloudflare logs. You can use the default settings.
Note the region you are creating the bucket in, as you will need to provide it to Cloudflare.
Create a new GCS bucket in your Google Cloud Platform (GCP) account.
We recommend creating a new GCS bucket specifically for Cloudflare logs. You can use the default settings.
Create a new Blob storage in your Azure account.
We recommend creating a new Blob storage specifically for Cloudflare logs. You can use the default settings.
Step 1: Set up the Cloudflare source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Cloudflare,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the AWS S3 Bucket option. Leave this selection as-is, or select Google Cloud Storage or Azure Blob Storage.
Step 2: Configure Logpush to stream logs to your cloud storage location
When choosing the dataset type for your Logpush job, note that Cloudflare has options for account-scoped data and zone-scoped data. Audit logs are account-scoped, whereas Firewall, HttpRequest, and Spectrum are zone-scoped.
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Cloudflare.Audit
parser:
native:
name: Cloudflare.Audit
description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login and logout, as well as zone configuration changes.
referenceURL: https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs
fields:
- name: ActionResult
description: Whether the action was successful
type: boolean
- name: ActionType
description: Type of action taken
type: string
- name: ActorEmail
description: Email of the actor
type: string
indicators:
- email
- name: ActorID
description: Unique identifier of the actor in Cloudflare's system
type: string
indicators:
- username
- name: ActorIP
description: Physical network address of the actor
type: string
indicators:
- ip
- name: ActorType
description: Type of user that started the audit trail
type: string
- name: ID
required: true
description: Unique identifier of an audit log
type: string
- name: Interface
description: Entry point or interface of the audit log
type: string
- name: Metadata
description: Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
type: json
- name: NewValue
description: Contains the new value for the audited item
type: json
- name: OldValue
description: Contains the old value for the audited item
type: json
- name: OwnerID
description: The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
type: string
indicators:
- username
- name: ResourceID
description: Unique identifier of the resource within Cloudflares system
type: string
- name: ResourceType
required: true
description: The type of resource that was changed
type: string
- name: When
required: true
description: When the change happened
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
schema: Cloudflare.Firewall
description: Cloudflare Firewall logs. When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#firewall-events
fields:
- name: Action
description: The code of the first-class action the Cloudflare Firewall took on this request
type: string
- name: ClientASN
description: The ASN number of the visitor
type: bigint
- name: ClientASNDescription
description: The ASN of the visitor as string
type: string
- name: ClientCountry
description: Country from which request originated
type: string
- name: ClientIP
description: The visitor's IP address (IPv4 or IPv6)
type: string
indicators:
- ip
- name: ClientIPClass
description: 'The classification of the visitor''s IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor'
type: string
- name: ClientRefererHost
description: The referer host
type: string
indicators:
- hostname
- name: ClientRefererPath
description: The referer path requested by visitor
type: string
- name: ClientRefererQuery
description: The referer query-string was requested by the visitor
type: string
- name: ClientRefererScheme
description: The referer url scheme requested by the visitor
type: string
- name: ClientRequestHost
description: The HTTP hostname requested by the visitor
type: string
indicators:
- hostname
- name: ClientRequestMethod
description: The HTTP method used by the visitor
type: string
- name: ClientRequestPath
description: The path requested by visitor
type: string
- name: ClientRequestProtocol
description: The version of HTTP protocol requested by the visitor
type: string
- name: ClientRequestQuery
description: The query-string was requested by the visitor
type: string
- name: ClientRequestScheme
description: The url scheme requested by the visitor
type: string
- name: ClientRequestUserAgent
description: Visitor's user-agent string
type: string
- name: Datetime
required: true
description: The date and time the event occurred at the edge
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
- name: Description
description: Rule description for this event
type: string
- name: EdgeColoCode
description: The airport code of the Cloudflare datacenter that served this request
type: string
- name: EdgeResponseStatus
description: HTTP response status code returned to browser
type: smallint
- name: Kind
description: 'The kind of event, currently only possible values are: firewall'
type: string
- name: MatchIndex
description: Rules match index in the chain
type: bigint
- name: Metadata
description: Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time
type: json
- name: OriginResponseStatus
description: HTTP origin response status code returned to browser
type: smallint
- name: OriginatorRayID
description: The RayID of the request that issued the challenge/jschallenge
type: string
indicators:
- trace_id
- name: RayID
description: The RayID of the request
type: string
indicators:
- trace_id
- name: Ref
description: User-defined rule reference for this event
type: string
- name: RuleID
description: The Cloudflare security product-specific RuleID triggered by this request
type: string
- name: Source
description: The Cloudflare security product triggered by this request
type: string
schema: Cloudflare.HttpRequest
description: Cloudflare http request logs. When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#http-requests
fields:
- name: BotDetectionIDs
description: List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only.
type: array
element:
type: bigint
- name: BotScore
description: Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)
type: bigint
- name: BotScoreSrc
description: Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
type: string
- name: BotTags
description: Type of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available in Logpush v2 only.
type: array
element:
type: string
- name: CacheCacheStatus
description: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated
type: string
- name: CacheReserveUsed
description: Cache Reserve was used to serve this request. Available in Logpush v2 only.
type: boolean
- name: CacheResponseBytes
description: Number of bytes returned by the cache
type: bigint
- name: CacheResponseStatus
description: HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
type: smallint
- name: CacheTieredFill
description: Tiered Cache was used to serve this request
type: boolean
- name: ClientASN
description: Client AS number
type: bigint
- name: ClientCountry
description: Country of the client IP address
type: string
- name: ClientDeviceType
description: Client device type
type: string
- name: ClientIP
description: IP address of the client
type: string
indicators:
- ip
- name: ClientIPClass
description: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
type: string
- name: ClientMTLSAuthCertFingerprint
description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
type: string
indicators:
- sha256
- name: ClientMTLSAuthStatus
description: The status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only. Possible values are unknown | ok | absent | untrusted | notyetvalid | expired
type: string
- name: ClientRegionCode
description: The ISO-3166-2 region code of the client IP address.
type: string
- name: ClientRequestBytes
description: Number of bytes in the client request
type: bigint
- name: ClientRequestHost
description: Host requested by the client
type: string
indicators:
- hostname
- name: ClientRequestMethod
description: HTTP method of client request
type: string
- name: ClientRequestPath
description: URI path requested by the client
type: string
- name: ClientRequestProtocol
description: HTTP protocol of client request
type: string
- name: ClientRequestReferer
description: HTTP request referrer
type: string
indicators:
- hostname
- name: ClientRequestScheme
description: The URL scheme requested by the visitor. Available in Logpush v2 only.
type: string
indicators:
- hostname
- name: ClientRequestSource
description: Identifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values. Available in Logpush v2 only.
type: string
indicators:
- hostname
- name: ClientRequestURI
description: URI requested by the client
type: string
- name: ClientRequestUserAgent
description: User agent reported by the client
type: string
- name: ClientSrcPort
description: Client source port
type: int
- name: ClientSSLCipher
description: Client SSL cipher
type: string
- name: ClientSSLProtocol
description: Client SSL (TLS) protocol
type: string
- name: ClientTCPRTTMs
description: The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2 only.
type: bigint
- name: ClientXRequestedWith
description: X-Requested-With HTTP header
type: string
- name: ContentScanObjResults
description: List of content scan results.
type: array
element:
type: string
- name: ContentScanObjTypes
description: List of content types.
type: array
element:
type: string
- name: Cookies
description: String key-value pairs for Cookies.
type: json
- name: EdgeCFConnectingO2O
description: True if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.
type: boolean
- name: EdgeColoCode
description: IATA airport code of data center that received the request
type: string
- name: EdgeColoID
description: Cloudflare edge colo id
type: bigint
- name: EdgeEndTimestamp
description: Timestamp at which the edge finished sending response to the client
type: timestamp
timeFormats:
- cloudflare
- name: EdgePathingOp
description: Indicates what type of response was issued for this request (unknown = no specific action)
type: string
- name: EdgePathingSrc
description: Details how the request was classified based on security checks (unknown = no specific classification)
type: string
- name: EdgePathingStatus
description: Indicates what data was used to determine the handling of this request (unknown = no data)
type: string
- name: EdgeRateLimitAction
description: The action taken by the blocking rule; empty if no action taken
type: string
- name: EdgeRateLimitID
description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action taken
type: string
- name: EdgeRequestHost
description: Host header on the request from the edge to the origin
type: string
indicators:
- hostname
- name: EdgeResponseBodyBytes
description: Size of the HTTP response body returned to clients. Available in Logpush v2 only.
type: bigint
- name: EdgeResponseBytes
description: Number of bytes returned by the edge to the client
type: bigint
- name: EdgeResponseCompressionRatio
description: Edge response compression ratio
type: float
- name: EdgeResponseContentType
description: Edge response Content-Type header value
type: string
- name: EdgeResponseStatus
description: HTTP status code returned by Cloudflare to the client
type: smallint
- name: EdgeServerIP
description: IP of the edge server making a request to the origin
type: string
indicators:
- ip
- name: EdgeStartTimestamp
required: true
description: Timestamp at which the edge received request from the client
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
- name: EdgeTimeToFirstByteMs
description: Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2 only.
type: bigint
- name: FirewallMatchesActions
description: Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
type: array
element:
type: string
- name: FirewallMatchesRuleIDs
description: Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
type: array
element:
type: string
- name: FirewallMatchesSources
description: The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
type: array
element:
type: string
- name: JA3Hash
description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available in Logpush v2 only.
type: string
indicators:
- md5
- name: OriginDNSResponseTimeMs
description: Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. Available in Logpush v2 only.
type: bigint
- name: OriginIP
description: IP of the origin server
type: string
indicators:
- ip
- name: OriginRequestHeaderSendDurationMs
description: Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2 only.
type: bigint
- name: OriginResponseBytes
description: Number of bytes returned by the origin server
type: bigint
- name: OriginResponseDurationMs
description: Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2 only.
type: bigint
- name: OriginResponseHeaderReceiveDurationMs
description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2 only.
type: bigint
- name: OriginResponseHTTPExpires
description: Value of the origin 'expires' header in RFC1123 format
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %Z'
- name: OriginResponseHTTPLastModified
description: Value of the origin 'last-modified' header in RFC1123 format
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %Z'
- name: OriginResponseStatus
description: Status returned by the origin server
type: smallint
- name: OriginResponseTime
description: Number of nanoseconds it took the origin to return the response to edge
type: bigint
- name: OriginSSLProtocol
description: SSL (TLS) protocol used to connect to the origin
type: string
- name: OriginTCPHandshakeDurationMs
description: Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
type: bigint
- name: OriginTLSHandshakeDurationMs
description: Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
type: bigint
- name: ParentRayID
description: Ray ID of the parent request if this request was made using a Worker script
type: string
indicators:
- trace_id
- name: RayID
description: ID of the request
type: string
indicators:
- trace_id
- name: RequestHeaders
description: String key-value pairs for RequestHeaders
type: json
- name: ResponseHeaders
description: String key-value pairs for ResponseHeaders
type: json
- name: SecurityAction
description: Rule action of the security rule that triggered a terminating action, if any
type: string
- name: SecurityActions
description: Array of actions that Cloudflare security products performed on this request. The individual security products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
type: array
element:
type: string
- name: SecurityLevel
description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system
type: string
- name: SecurityRuleDescription
description: Rule description of the security rule that triggered a terminating action, if any
type: string
- name: SecurityRuleID
description: Rule ID of the security rule that triggered a terminating action, if any
type: string
- name: SecurityRuleIDs
description: Array of security rule IDs that matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
type: array
element:
type: string
- name: SecuritySources
description: Array of Cloudflare security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
type: array
element:
type: string
- name: SmartRouteColoID
description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only.
type: bigint
- name: UpperTierColoID
description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only.
type: bigint
- name: WAFAction
description: Action taken by the WAF, if triggered
type: string
- name: WAFAttackScore
description: Overall request score generated by the WAF detection module.
type: bigint
- name: WAFFlags
description: 'Additional configuration flags: simulate (0x1) | null'
type: string
- name: WAFMatchedVar
description: The full name of the most-recently matched variable
type: string
- name: WAFProfile
description: low | med | high
type: string
- name: WAFRCEAttackScore
description: WAF score for an RCE attack.
type: bigint
- name: WAFRuleID
description: ID of the applied WAF rule
type: string
- name: WAFRuleMessage
description: Rule message associated with the triggered rule
type: string
- name: WAFSQLiAttackScore
description: WAF score for an SQLi attack.
type: bigint
- name: WAFXSSAttackScore
description: WAF score for an XSS attack.
type: bigint
- name: WorkerCPUTime
description: Amount of time in microseconds spent executing a worker, if any
type: bigint
- name: WorkerStatus
description: Status returned from worker daemon
type: string
- name: WorkerSubrequest
description: Whether or not this request was a worker subrequest
type: boolean
- name: WorkerSubrequestCount
description: Number of subrequests issued by a worker when handling this request
type: bigint
- name: WorkerWallTimeUs
description: Real-time in microseconds elapsed between start and end of worker invocation.
type: bigint
- name: ZoneID
description: Internal zone ID
type: bigint
- name: ZoneName
description: The human-readable name of the zone (e.g. cloudflare.com). Available in Logpush v2 only.
type: string
- name: JA4
description: The JA4 fingerprint used to profile SSL/TLS clients.
type: string
- name: JA4Signals
description: Inter-request statistics computed for this JA4 fingerprint. JA4Signals field is organized in key:value pairs, where values are numbers.
type: json
- name: LeakedCredentialCheckResult
description: Result of the check for leaked credentials.
type: string
schema: Cloudflare.Spectrum
description: Cloudflare Spectrum logs. When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#spectrum-events
fields:
- name: Application
description: The unique public ID of the application on which the event occurred
type: string
- name: ClientASN
description: Client AS number
type: bigint
- name: ClientBytes
description: The number of bytes read from the client by the Spectrum service
type: bigint
- name: ClientCountry
description: Country of the client IP address
type: string
- name: ClientIP
description: IP address of the client
type: string
indicators:
- ip
- name: ClientMatchedIpFirewall
description: Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN
type: string
- name: ClientPort
description: Client port
type: int
- name: ClientProto
description: Transport protocol used by client; tcp | udp | unix
type: string
- name: ClientTcpRtt
description: The TCP round-trip time in nanoseconds between the client and Spectrum
type: bigint
- name: ClientTlsCipher
description: The cipher negotiated between the client and Spectrum
type: string
- name: ClientTlsClientHelloServerName
description: The server name in the Client Hello message from client to Spectrum
type: string
- name: ClientTlsProtocol
description: The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
type: string
- name: ClientTlsStatus
description: Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
type: string
- name: ColoCode
description: IATA airport code of data center that received the request
type: string
- name: ConnectTimestamp
description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established
type: timestamp
timeFormats:
- cloudflare
- name: DisconnectTimestamp
description: Timestamp at which the connection was closed
type: timestamp
timeFormats:
- cloudflare
- name: Event
description: connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
type: string
- name: IpFirewall
description: Whether IP Firewall was enabled at time of connection
type: boolean
- name: OriginBytes
description: The number of bytes read from the origin by Spectrum
type: bigint
- name: OriginIP
description: Origin IP address
type: string
indicators:
- ip
- name: OriginPort
description: Origin port
type: int
- name: OriginProto
description: Transport protocol used by origin; tcp | udp | unix
type: string
- name: OriginTcpRtt
description: The TCP round-trip time in nanoseconds between Spectrum and the origin
type: bigint
- name: OriginTlsCipher
description: The cipher negotiated between Spectrum and the origin
type: string
- name: OriginTlsFingerprint
description: SHA256 hash of origin certificate
type: string
- name: OriginTlsMode
description: If and how the upstream connection is encrypted; unknown | off | flexible | full | strict
type: string
- name: OriginTlsProtocol
description: The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
type: string
- name: OriginTlsStatus
description: The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
type: string
- name: ProxyProtocol
description: Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple
type: string
- name: Status
description: A code indicating reason for connection closure
type: bigint
- name: Timestamp
required: true
description: Timestamp at which the event took place
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
