Cloudflare Logs

Connecting Cloudfare logs to your Panther Console

Overview

Panther supports ingesting Cloudflare logs via Cloudflare's Logpush service, which streams logs directly to Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), or Azure Blob Storage.

Note that Cloudflare's Logpush is available to Cloudflare Enterprise customers only. While some Cloudflare log types on this page (e.g., Audit logs) may be pulled without Logpush, Panther's supported schemas rely on the data structure when delivered by Logpush.

How to onboard Cloudflare logs to Panther

You can ingest Cloudflare logs into Panther by streaming them to an S3 bucket, GCS bucket, or Azure Blob source.

Prerequisite

  • Create a new S3 bucket in your AWS account.

    • We recommend creating a new S3 bucket specifically for Cloudflare logs. You can use the default settings.

    • Note the region you are creating the bucket in, as you will need to provide it to Cloudflare.

Step 1: Set up the Cloudflare source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Cloudflare,” then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the AWS S3 Bucket option. Leave this selection as-is, or select Google Cloud Storage or Azure Blob Storage.

  4. Click Start Setup.

  5. Follow Panther’s documentation for configuring your chosen Data Transport: AWS S3, Google Cloud Storage or Azure Blob Storage.

Step 2: Configure Logpush to stream logs to your cloud storage location

When choosing the dataset type for your Logpush job, note that Cloudflare has options for account-scoped data and zone-scoped data. Audit logs are account-scoped, whereas Firewall, HttpRequest, and Spectrum are zone-scoped.

Panther-managed detections

See Panther-managed rules for Cloudflare in the panther-analysis GitHub repository.

Supported log types

Cloudflare.Audit

When selecting event fields on the Cloudflare UI, make sure you include the When, ID, and ResourceType fields, as they are required by Panther.

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Cloudflare.Audit
parser:
  native:
    name: Cloudflare.Audit
description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login and logout, as well as zone configuration changes.
referenceURL: https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs
fields:
  - name: ActionResult
    description: Whether the action was successful
    type: boolean
  - name: ActionType
    description: Type of action taken
    type: string
  - name: ActorEmail
    description: Email of the actor
    type: string
    indicators:
      - email
  - name: ActorID
    description: Unique identifier of the actor in Cloudflare's system
    type: string
    indicators:
      - username
  - name: ActorIP
    description: Physical network address of the actor
    type: string
    indicators:
      - ip
  - name: ActorType
    description: Type of user that started the audit trail
    type: string
  - name: ID
    required: true
    description: Unique identifier of an audit log
    type: string
  - name: Interface
    description: Entry point or interface of the audit log
    type: string
  - name: Metadata
    description: Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
    type: json
  - name: NewValue
    description: Contains the new value for the audited item
    type: json
  - name: OldValue
    description: Contains the old value for the audited item
    type: json
  - name: OwnerID
    description: The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
    type: string
    indicators:
      - username
  - name: ResourceID
    description: Unique identifier of the resource within Cloudflares system
    type: string
  - name: ResourceType
    required: true
    description: The type of resource that was changed
    type: string
  - name: When
    required: true
    description: When the change happened
    type: timestamp
    timeFormats:
      - cloudflare
    isEventTime: true

Cloudflare.Firewall

When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Firewalls.

schema: Cloudflare.Firewall
description: Cloudflare Firewall logs. When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#firewall-events
fields:
    - name: Action
      description: The code of the first-class action the Cloudflare Firewall took on this request
      type: string
    - name: ClientASN
      description: The ASN number of the visitor
      type: bigint
    - name: ClientASNDescription
      description: The ASN of the visitor as string
      type: string
    - name: ClientCountry
      description: Country from which request originated
      type: string
    - name: ClientIP
      description: The visitor's IP address (IPv4 or IPv6)
      type: string
      indicators:
        - ip
    - name: ClientIPClass
      description: 'The classification of the visitor''s IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor'
      type: string
    - name: ClientRefererHost
      description: The referer host
      type: string
      indicators:
        - hostname
    - name: ClientRefererPath
      description: The referer path requested by visitor
      type: string
    - name: ClientRefererQuery
      description: The referer query-string was requested by the visitor
      type: string
    - name: ClientRefererScheme
      description: The referer url scheme requested by the visitor
      type: string
    - name: ClientRequestHost
      description: The HTTP hostname requested by the visitor
      type: string
      indicators:
        - hostname
    - name: ClientRequestMethod
      description: The HTTP method used by the visitor
      type: string
    - name: ClientRequestPath
      description: The path requested by visitor
      type: string
    - name: ClientRequestProtocol
      description: The version of HTTP protocol requested by the visitor
      type: string
    - name: ClientRequestQuery
      description: The query-string was requested by the visitor
      type: string
    - name: ClientRequestScheme
      description: The url scheme requested by the visitor
      type: string
    - name: ClientRequestUserAgent
      description: Visitor's user-agent string
      type: string
    - name: Datetime
      required: true
      description: The date and time the event occurred at the edge
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true
    - name: Description
      description: Rule description for this event
      type: string
    - name: EdgeColoCode
      description: The airport code of the Cloudflare datacenter that served this request
      type: string
    - name: EdgeResponseStatus
      description: HTTP response status code returned to browser
      type: smallint
    - name: Kind
      description: 'The kind of event, currently only possible values are: firewall'
      type: string
    - name: MatchIndex
      description: Rules match index in the chain
      type: bigint
    - name: Metadata
      description: Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time
      type: json
    - name: OriginResponseStatus
      description: HTTP origin response status code returned to browser
      type: smallint
    - name: OriginatorRayID
      description: The RayID of the request that issued the challenge/jschallenge
      type: string
      indicators:
        - trace_id
    - name: RayID
      description: The RayID of the request
      type: string
      indicators:
        - trace_id
    - name: Ref
      description: User-defined rule reference for this event
      type: string
    - name: RuleID
      description: The Cloudflare security product-specific RuleID triggered by this request
      type: string
    - name: Source
      description: The Cloudflare security product triggered by this request
      type: string

Cloudflare.HttpRequest

When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Requests.

schema: Cloudflare.HttpRequest
description: Cloudflare http request logs. When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#http-requests
fields:
    - name: BotDetectionIDs
      description: List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only.
      type: array
      element:
        type: bigint
    - name: BotScore
      description: Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)
      type: bigint
    - name: BotScoreSrc
      description: Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
      type: string
    - name: BotTags
      description: Type of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available in Logpush v2 only.
      type: array
      element:
        type: string
    - name: CacheCacheStatus
      description: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated
      type: string
    - name: CacheReserveUsed
      description: Cache Reserve was used to serve this request. Available in Logpush v2 only.
      type: boolean
    - name: CacheResponseBytes
      description: Number of bytes returned by the cache
      type: bigint
    - name: CacheResponseStatus
      description: HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
      type: smallint
    - name: CacheTieredFill
      description: Tiered Cache was used to serve this request
      type: boolean
    - name: ClientASN
      description: Client AS number
      type: bigint
    - name: ClientCountry
      description: Country of the client IP address
      type: string
    - name: ClientDeviceType
      description: Client device type
      type: string
    - name: ClientIP
      description: IP address of the client
      type: string
      indicators:
        - ip
    - name: ClientIPClass
      description: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
      type: string
    - name: ClientMTLSAuthCertFingerprint
      description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
      type: string
      indicators:
        - sha256
    - name: ClientMTLSAuthStatus
      description: The status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only. Possible values are unknown | ok | absent | untrusted | notyetvalid | expired
      type: string
    - name: ClientRegionCode
      description: The ISO-3166-2 region code of the client IP address.
      type: string
    - name: ClientRequestBytes
      description: Number of bytes in the client request
      type: bigint
    - name: ClientRequestHost
      description: Host requested by the client
      type: string
      indicators:
        - hostname
    - name: ClientRequestMethod
      description: HTTP method of client request
      type: string
    - name: ClientRequestPath
      description: URI path requested by the client
      type: string
    - name: ClientRequestProtocol
      description: HTTP protocol of client request
      type: string
    - name: ClientRequestReferer
      description: HTTP request referrer
      type: string
      indicators:
        - hostname
    - name: ClientRequestScheme
      description: The URL scheme requested by the visitor. Available in Logpush v2 only.
      type: string
      indicators:
        - hostname
    - name: ClientRequestSource
      description: Identifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values. Available in Logpush v2 only.
      type: string
      indicators:
        - hostname
    - name: ClientRequestURI
      description: URI requested by the client
      type: string
    - name: ClientRequestUserAgent
      description: User agent reported by the client
      type: string
    - name: ClientSrcPort
      description: Client source port
      type: int
    - name: ClientSSLCipher
      description: Client SSL cipher
      type: string
    - name: ClientSSLProtocol
      description: Client SSL (TLS) protocol
      type: string
    - name: ClientTCPRTTMs
      description: The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2 only.
      type: bigint
    - name: ClientXRequestedWith
      description: X-Requested-With HTTP header
      type: string
    - name: ContentScanObjResults
      description: List of content scan results.
      type: array
      element:
        type: string
    - name: ContentScanObjTypes
      description: List of content types.
      type: array
      element:
        type: string
    - name: Cookies
      description: String key-value pairs for Cookies.
      type: json
    - name: EdgeCFConnectingO2O
      description: True if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.
      type: boolean
    - name: EdgeColoCode
      description: IATA airport code of data center that received the request
      type: string
    - name: EdgeColoID
      description: Cloudflare edge colo id
      type: bigint
    - name: EdgeEndTimestamp
      description: Timestamp at which the edge finished sending response to the client
      type: timestamp
      timeFormats:
        - cloudflare
    - name: EdgePathingOp
      description: Indicates what type of response was issued for this request (unknown = no specific action)
      type: string
    - name: EdgePathingSrc
      description: Details how the request was classified based on security checks (unknown = no specific classification)
      type: string
    - name: EdgePathingStatus
      description: Indicates what data was used to determine the handling of this request (unknown = no data)
      type: string
    - name: EdgeRateLimitAction
      description: The action taken by the blocking rule; empty if no action taken
      type: string
    - name: EdgeRateLimitID
      description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action taken
      type: string
    - name: EdgeRequestHost
      description: Host header on the request from the edge to the origin
      type: string
      indicators:
        - hostname
    - name: EdgeResponseBodyBytes
      description: Size of the HTTP response body returned to clients. Available in Logpush v2 only.
      type: bigint
    - name: EdgeResponseBytes
      description: Number of bytes returned by the edge to the client
      type: bigint
    - name: EdgeResponseCompressionRatio
      description: Edge response compression ratio
      type: float
    - name: EdgeResponseContentType
      description: Edge response Content-Type header value
      type: string
    - name: EdgeResponseStatus
      description: HTTP status code returned by Cloudflare to the client
      type: smallint
    - name: EdgeServerIP
      description: IP of the edge server making a request to the origin
      type: string
      indicators:
        - ip
    - name: EdgeStartTimestamp
      required: true
      description: Timestamp at which the edge received request from the client
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true
    - name: EdgeTimeToFirstByteMs
      description: Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2 only.
      type: bigint
    - name: FirewallMatchesActions
      description: Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
      type: array
      element:
        type: string
    - name: FirewallMatchesRuleIDs
      description: Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
      type: array
      element:
        type: string
    - name: FirewallMatchesSources
      description: The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
      type: array
      element:
        type: string
    - name: JA3Hash
      description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available in Logpush v2 only.
      type: string
      indicators:
        - md5
    - name: OriginDNSResponseTimeMs
      description: Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. Available in Logpush v2 only.
      type: bigint
    - name: OriginIP
      description: IP of the origin server
      type: string
      indicators:
        - ip
    - name: OriginRequestHeaderSendDurationMs
      description: Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseBytes
      description: Number of bytes returned by the origin server
      type: bigint
    - name: OriginResponseDurationMs
      description: Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseHeaderReceiveDurationMs
      description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseHTTPExpires
      description: Value of the origin 'expires' header in RFC1123 format
      type: timestamp
      timeFormats:
        - '%a, %d %b %Y %H:%M:%S %Z'
    - name: OriginResponseHTTPLastModified
      description: Value of the origin 'last-modified' header in RFC1123 format
      type: timestamp
      timeFormats:
        - '%a, %d %b %Y %H:%M:%S %Z'
    - name: OriginResponseStatus
      description: Status returned by the origin server
      type: smallint
    - name: OriginResponseTime
      description: Number of nanoseconds it took the origin to return the response to edge
      type: bigint
    - name: OriginSSLProtocol
      description: SSL (TLS) protocol used to connect to the origin
      type: string
    - name: OriginTCPHandshakeDurationMs
      description: Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
      type: bigint
    - name: OriginTLSHandshakeDurationMs
      description: Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
      type: bigint
    - name: ParentRayID
      description: Ray ID of the parent request if this request was made using a Worker script
      type: string
      indicators:
        - trace_id
    - name: RayID
      description: ID of the request
      type: string
      indicators:
        - trace_id
    - name: RequestHeaders
      description: String key-value pairs for RequestHeaders
      type: json
    - name: ResponseHeaders
      description: String key-value pairs for ResponseHeaders
      type: json
    - name: SecurityAction
      description: Rule action of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityActions
      description: Array of actions that Cloudflare security products performed on this request. The individual security products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
      type: array
      element:
        type: string
    - name: SecurityLevel
      description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system
      type: string
    - name: SecurityRuleDescription
      description: Rule description of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityRuleID
      description: Rule ID of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityRuleIDs
      description: Array of security rule IDs that matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
      type: array
      element:
        type: string
    - name: SecuritySources
      description: Array of Cloudflare security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
      type: array
      element:
        type: string
    - name: SmartRouteColoID
      description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only.
      type: bigint
    - name: UpperTierColoID
      description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only.
      type: bigint
    - name: WAFAction
      description: Action taken by the WAF, if triggered
      type: string
    - name: WAFAttackScore
      description: Overall request score generated by the WAF detection module.
      type: bigint
    - name: WAFFlags
      description: 'Additional configuration flags: simulate (0x1) | null'
      type: string
    - name: WAFMatchedVar
      description: The full name of the most-recently matched variable
      type: string
    - name: WAFProfile
      description: low | med | high
      type: string
    - name: WAFRCEAttackScore
      description: WAF score for an RCE attack.
      type: bigint
    - name: WAFRuleID
      description: ID of the applied WAF rule
      type: string
    - name: WAFRuleMessage
      description: Rule message associated with the triggered rule
      type: string
    - name: WAFSQLiAttackScore
      description: WAF score for an SQLi attack.
      type: bigint
    - name: WAFXSSAttackScore
      description: WAF score for an XSS attack.
      type: bigint
    - name: WorkerCPUTime
      description: Amount of time in microseconds spent executing a worker, if any
      type: bigint
    - name: WorkerStatus
      description: Status returned from worker daemon
      type: string
    - name: WorkerSubrequest
      description: Whether or not this request was a worker subrequest
      type: boolean
    - name: WorkerSubrequestCount
      description: Number of subrequests issued by a worker when handling this request
      type: bigint
    - name: WorkerWallTimeUs
      description: Real-time in microseconds elapsed between start and end of worker invocation.
      type: bigint
    - name: ZoneID
      description: Internal zone ID
      type: bigint
    - name: ZoneName
      description: The human-readable name of the zone (e.g. cloudflare.com). Available in Logpush v2 only.
      type: string
    - name: JA4
      description: The JA4 fingerprint used to profile SSL/TLS clients.
      type: string
    - name: JA4Signals
      description: Inter-request statistics computed for this JA4 fingerprint. JA4Signals field is organized in key:value pairs, where values are numbers.
      type: json
    - name: LeakedCredentialCheckResult
      description: Result of the check for leaked credentials.
      type: string

Cloudflare.Spectrum

When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Spectrum Events.

schema: Cloudflare.Spectrum
description: Cloudflare Spectrum logs. When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#spectrum-events
fields:
    - name: Application
      description: The unique public ID of the application on which the event occurred
      type: string
    - name: ClientASN
      description: Client AS number
      type: bigint
    - name: ClientBytes
      description: The number of bytes read from the client by the Spectrum service
      type: bigint
    - name: ClientCountry
      description: Country of the client IP address
      type: string
    - name: ClientIP
      description: IP address of the client
      type: string
      indicators:
        - ip
    - name: ClientMatchedIpFirewall
      description: Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN
      type: string
    - name: ClientPort
      description: Client port
      type: int
    - name: ClientProto
      description: Transport protocol used by client; tcp | udp | unix
      type: string
    - name: ClientTcpRtt
      description: The TCP round-trip time in nanoseconds between the client and Spectrum
      type: bigint
    - name: ClientTlsCipher
      description: The cipher negotiated between the client and Spectrum
      type: string
    - name: ClientTlsClientHelloServerName
      description: The server name in the Client Hello message from client to Spectrum
      type: string
    - name: ClientTlsProtocol
      description: The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
      type: string
    - name: ClientTlsStatus
      description: Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
      type: string
    - name: ColoCode
      description: IATA airport code of data center that received the request
      type: string
    - name: ConnectTimestamp
      description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established
      type: timestamp
      timeFormats:
        - cloudflare
    - name: DisconnectTimestamp
      description: Timestamp at which the connection was closed
      type: timestamp
      timeFormats:
        - cloudflare
    - name: Event
      description: connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
      type: string
    - name: IpFirewall
      description: Whether IP Firewall was enabled at time of connection
      type: boolean
    - name: OriginBytes
      description: The number of bytes read from the origin by Spectrum
      type: bigint
    - name: OriginIP
      description: Origin IP address
      type: string
      indicators:
        - ip
    - name: OriginPort
      description: Origin port
      type: int
    - name: OriginProto
      description: Transport protocol used by origin; tcp | udp | unix
      type: string
    - name: OriginTcpRtt
      description: The TCP round-trip time in nanoseconds between Spectrum and the origin
      type: bigint
    - name: OriginTlsCipher
      description: The cipher negotiated between Spectrum and the origin
      type: string
    - name: OriginTlsFingerprint
      description: SHA256 hash of origin certificate
      type: string
    - name: OriginTlsMode
      description: If and how the upstream connection is encrypted; unknown | off | flexible | full | strict
      type: string
    - name: OriginTlsProtocol
      description: The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
      type: string
    - name: OriginTlsStatus
      description: The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
      type: string
    - name: ProxyProtocol
      description: Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple
      type: string
    - name: Status
      description: A code indicating reason for connection closure
      type: bigint
    - name: Timestamp
      required: true
      description: Timestamp at which the event took place
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true

Cloudflare.ZeroTrust.RData

The Cloudflare.ZeroTrust.RData schema is in open beta starting with Panther version 1.81, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Cloudflare Zero Trust RData logs are in a Base64-encoded binary format,