Links

Cloudflare Logs

Connecting Cloudfare logs to your Panther Console

Overview

Panther supports ingesting Cloudflare logs via Cloudflare's Logpush service, which streams logs directly to an HTTP Source, or to Amazon Web Services (AWS) S3.
Note that Cloudflare's Logpush is available to Cloudflare Enterprise customers only. While some Cloudflare log types on this page (e.g., Audit logs) may be pulled without Logpush, Panther's supported schemas rely on the data structure when delivered by Logpush.

How to onboard Cloudflare logs to Panther

You can ingest Cloudflare logs into Panther by streaming them to either an HTTP source or a S3 source.
HTTP Source
S3 Source

Step 1: Create an HTTP Source in Panther

  1. 1.
    In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for "Cloudflare," then click its tile.
    • In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the HTTP option.
  4. 4.
    Click Start Setup.
  5. 5.
    • You will be required to use shared secret authentication. This is the only method of authentication Cloudflare supports.
    • The Header Name associated with your Secret Key Value will be locked with a value of x-panther-cloudflare.

Step 2: Configure a Logpush job in Cloudflare

  1. 1.
    Locate your Cloudflare account ID. by navigating to your Cloudflare dashboard and copying the ID from the URL.
    The Cloudflare dashboard is shown, including the URL of the page. The account number in the URL is circled.
  2. 2.
    Create a Cloudflare API token by following Cloudflare's Create an API token documentation.
    • Ensure the token has the All accounts - Logs: Edit permission.
    • Save the API token for the following step.
  3. 3.
    Create a Logpush job in Cloudflare by invoking the API, as is shown in the curl example below.
    curl -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/logpush/jobs" \
    -H "Authorization: Bearer {YOUR_API_TOKEN}" \
    -H "Content-Type:application/json" \
    -d '{
    "enabled": true,
    "name": "my_cloudflare_audit_logs",
    "dataset": "audit_logs",
    "destination_conf": "{LOG_SOURCE_URL}?header_x-panther-cloudflare={SHARED_SECRET}"
    }'
  4. 4.
    Navigate back to your Cloudflare dashboard to finish the Logpush job configuration.
    1. 1.
      In the left-hand navigation bar, under Analytics & Logs, click Logs.
    2. 2.
      In the Logpush job table, find the row for the Logpush job you created in the previous step, and click Edit.
      The Logs page of the Cloudflare dashboard is shown. There is a table under the header "Logpush - Account-scoped datasets," with one row. In the "Data set" column is "Audit logs," and on the right-hand side are "Edit" and "Delete" buttons.
    3. 3.
      Select the fields you would like Cloudflare to include in the audit log events sent to your HTTP Source. (By default, Cloudflare only includes a subset of all available fields.)
      The top of the Cloudflare page reads "Edit logpush options," then "Select data fields." There is a list of fields, each with checkboxes next to their names, such as ActionResult, ActionType, ActorEmail, and so on.
    4. 4.
      Click Save changes.

Prerequisites

  • Create a new S3 bucket in your AWS account.
    • We recommend creating a new S3 bucket specifically for Cloudflare logs. You can use the default settings.
    • Please note the region that you are creating it in, as you will need to provide it to Cloudflare.

Step 1: Set up the S3 bucket source in Panther

  • Follow Panther’s documentation for configuring AWS S3 as a Data Transport.

Step 2: Configure Logpush to stream logs to S3

When choosing the dataset type for your Logpush job, note that Cloudflare has options for Account-scoped data and Zone-scoped data. Audit logs are Account-scoped, whereas Firewall, HttpRequest, and Spectrum are Zone-scoped. The screen shots in this guide demonstrate how to configure Audit logs.
  1. 1.
    Navigate to your Cloudflare dashboard, then go to Analytics > Logs.
  2. 2.
    Click Add Logpush job next to the dataset type you want to set up.
    In Cloudflare under a "Logs" header, there is an option for account-scoped data.
  3. 3.
    Click Select on the dataset you want to choose.
    In Cloudflare under "Select data set," the "Audit logs" option is highlighted.
  4. 4.
    Scroll down and click Next.
  5. 5.
    Select the fields that you want to include. We recommend that you click the checkbox to select "All fields."
    • ID, ResourceType, and When are included by default and are required by Panther. Do not unselect these fields.
      In the "Create Jobpush log" screen in AWS, the boxes are checked next to "All fields" and "General."
  6. 6.
    Click Next.
  7. 7.
    Under "Select a destination," locate the Amazon S3 tile and click Select.
    The AWS S3 tile is selected.
  8. 8.
    Scroll down and click Next.
  9. 9.
    Configure the destination fields:
    • Bucket path: Enter the name of the S3 bucket you created earlier in this documentation.
    • Daily subfolders: Choose Yes if you want to organize logs into daily subfolders.
    • Bucket region: Select the region that you created your S3 bucket in.
      • To verify the region, navigate to your S3 bucket's Properties.
    • Encryption constraint in bucket policy: Set to "Yes" if you enabled SSE encryption on your S3 bucket.
    • In the Grant Cloudflare access to upload files to your bucket section, copy the IAM policy that Cloudflare is providing.
      • You will need this in the next steps to give Cloudflare access to put objects in your bucket.
        Under "Create Logpush job," there are fields to configure the destination.
  10. 10.
    In a separate browser tab, navigate to your AWS account and go to the S3 bucket settings.
  11. 11.
    At the top of the page, click the Permissions tab.
  12. 12.
    Scroll down to the Bucket policy section. On the right side of the tile, click Edit. In the text editor, paste the bucket policy you copied from the earlier steps.
    The "Permission" tab is highlighted. At the bottom, there is a section labeled "Bucket Policy."
  13. 13.
    Click Save.
  14. 14.
    Navigate back to the Cloudflare dashboard, and click Validate Access.
    • From here, Cloudflare will write an object to your S3 bucket which will contain an ownership challenge that you must provide back to Cloudflare in the next steps.
      The page is labeled "Create Logpush job." There is a "Prove ownership" header and a text box below labeled "Ownership token."
  15. 15.
    Navigate back to your S3 bucket in AWS.
  16. 16.
    Find and download the ownership challenge file, then open it.
  17. 17.
    Copy the contents of the ownership challenge file. You will need this in the next steps.
  18. 18.
    Navigate back to your Cloudflare dashboard. In the Ownership token field, paste in the contents of the ownership challenge file.
  19. 19.
    Click Save.
Additionally, see Cloudflare's documentation for instructions on pushing logs to Amazon S3.

Panther-built Detections

Supported log types

Cloudflare.Audit

When selecting event fields on the Cloudflare UI, make sure you include the When, ID, and ResourceType fields, as they are required by Panther.
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Cloudflare.Audit
parser:
native:
name: Cloudflare.Audit
description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login and logout, as well as zone configuration changes.
referenceURL: https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs
fields:
- name: ActionResult
description: Whether the action was successful
type: boolean
- name: ActionType
description: Type of action taken
type: string
- name: ActorEmail
description: Email of the actor
type: string
indicators:
- email
- name: ActorID
description: Unique identifier of the actor in Cloudflare's system
type: string
indicators:
- username
- name: ActorIP
description: Physical network address of the actor
type: string
indicators:
- ip
- name: ActorType
description: Type of user that started the audit trail
type: string
- name: ID
required: true
description: Unique identifier of an audit log
type: string
- name: Interface
description: Entry point or interface of the audit log
type: string
- name: Metadata
description: Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
type: json
- name: NewValue
description: Contains the new value for the audited item
type: json
- name: OldValue
description: Contains the old value for the audited item
type: json
- name: OwnerID
description: The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
type: string
indicators:
- username
- name: ResourceID
description: Unique identifier of the resource within Cloudflares system
type: string
- name: ResourceType
required: true
description: The type of resource that was changed
type: string
- name: When
required: true
description: When the change happened
type: timestamp
timeFormats:
- cloudflare
isEventTime: true

Cloudflare.Firewall

When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field, as it is required by Panther.
schema: Cloudflare.Firewall
description: Cloudflare Firewall logs. When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#firewall-events
fields:
- name: Action
description: The code of the first-class action the Cloudflare Firewall took on this request
type: string
- name: ClientASN
description: The ASN number of the visitor
type: bigint
- name: ClientASNDescription
description: The ASN of the visitor as string
type: string
- name: ClientCountry
description: Country from which request originated
type: string
- name: ClientIP
description: The visitor's IP address (IPv4 or IPv6)
type: string
indicators:
- ip
- name: ClientIPClass
description: 'The classification of the visitor''s IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor'
type: string
- name: ClientRefererHost
description: The referer host
type: string
indicators:
- hostname
- name: ClientRefererPath
description: The referer path requested by visitor
type: string
- name: ClientRefererQuery
description: The referer query-string was requested by the visitor
type: string
- name: ClientRefererScheme
description: The referer url scheme requested by the visitor
type: string
- name: ClientRequestHost
description: The HTTP hostname requested by the visitor
type: string
indicators:
- hostname
- name: ClientRequestMethod
description: The HTTP method used by the visitor
type: string
- name: ClientRequestPath
description: The path requested by visitor
type: string
- name: ClientRequestProtocol
description: The version of HTTP protocol requested by the visitor
type: string
- name: ClientRequestQuery
description: The query-string was requested by the visitor
type: string
- name: ClientRequestScheme
description: The url scheme requested by the visitor
type: string
- name: ClientRequestUserAgent
description: Visitor's user-agent string
type: string
- name: Datetime
required: true
description: The date and time the event occurred at the edge
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
- name: Description
description: Rule description for this event
type: string
- name: EdgeColoCode
description: The airport code of the Cloudflare datacenter that served this request
type: string
- name: EdgeResponseStatus
description: HTTP response status code returned to browser
type: smallint
- name: Kind
description: 'The kind of event, currently only possible values are: firewall'
type: string
- name: MatchIndex
description: Rules match index in the chain
type: bigint
- name: Metadata
description: Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time
type: json
- name: OriginResponseStatus
description: HTTP origin response status code returned to browser
type: smallint
- name: OriginatorRayID
description: The RayID of the request that issued the challenge/jschallenge
type: string
indicators:
- trace_id
- name: RayID
description: The RayID of the request
type: string
indicators:
- trace_id
- name: Ref
description: User-defined rule reference for this event
type: string
- name: RuleID
description: The Cloudflare security product-specific RuleID triggered by this request
type: string
- name: Source
description: The Cloudflare security product triggered by this request
type: string

Cloudflare.HttpRequest

When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field, as it is required by Panther.
schema: Cloudflare.HttpRequest
description: Cloudflare http request logs. When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#http-requests
fields:
- name: BotDetectionIDs
description: List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only.
type: array
element:
type: bigint
- name: BotScore
description: Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)
type: bigint
- name: BotScoreSrc
description: Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
type: string
- name: BotTags
description: Type of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available in Logpush v2 only.
type: array
element:
type: string
- name: CacheCacheStatus
description: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated
type: string
- name: CacheReserveUsed
description: Cache Reserve was used to serve this request. Available in Logpush v2 only.
type: boolean
- name: CacheResponseBytes
description: Number of bytes returned by the cache
type: bigint
- name: CacheResponseStatus
description: HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
type: smallint
- name: CacheTieredFill
description: Tiered Cache was used to serve this request
type: boolean
- name: ClientASN
description: Client AS number
type: bigint
- name: ClientCountry
description: Country of the client IP address
type: string
- name: ClientDeviceType
description: Client device type
type: string
- name: ClientIP
description: IP address of the client
type: string
indicators:
- ip
- name: ClientIPClass
description: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
type: string
- name: ClientMTLSAuthCertFingerprint
description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
type: string
indicators:
- sha256
- name: ClientMTLSAuthStatus
description: The status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only. Possible values are unknown | ok | absent | untrusted | notyetvalid | expired
type: string
- name: ClientRegionCode
description: The ISO-3166-2 region code of the client IP address.
type: string
- name: ClientRequestBytes
description: Number of bytes in the client request
type: bigint
- name: ClientRequestHost
description: Host requested by the client
type: string
indicators:
- hostname
- name: ClientRequestMethod
description: HTTP method of client request
type: string
- name: ClientRequestPath
description: URI path requested by the client
type: string
- name: ClientRequestProtocol
description: HTTP protocol of client request
type: string
- name: ClientRequestReferer
description: HTTP request referrer
type: string
indicators:
- hostname
- name: ClientRequestScheme
description: The URL scheme requested by the visitor. Available in Logpush v2 only.
type: string
indicators:
- hostname
- name: ClientRequestSource
description: Identifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values. Available in Logpush v2 only.
type: string
indicators:
- hostname
- name: ClientRequestURI
description: URI requested by the client
type: string
- name: ClientRequestUserAgent
description: User agent reported by the client
type: string
- name: ClientSrcPort
description: Client source port
type: int
- name: ClientSSLCipher
description: Client SSL cipher
type: string
- name: ClientSSLProtocol
description: Client SSL (TLS) protocol
type: string
- name: ClientTCPRTTMs
description: The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2 only.
type: bigint
- name: ClientXRequestedWith
description: X-Requested-With HTTP header
type: string
- name: ContentScanObjResults
description: List of content scan results.
type: array
element:
type: string
- name: ContentScanObjTypes
description: List of content types.
type: array
element:
type: string
- name: Cookies
description: String key-value pairs for Cookies.
type: json
- name: EdgeCFConnectingO2O
description: True if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.
type: boolean
- name: EdgeColoCode
description: IATA airport code of data center that received the request
type: string
- name: EdgeColoID
description: Cloudflare edge colo id
type: bigint
- name: EdgeEndTimestamp
description: Timestamp at which the edge finished sending response to the client
type: timestamp
timeFormats:
- cloudflare
- name: EdgePathingOp
description: Indicates what type of response was issued for this request (unknown = no specific action)
type: string
- name: EdgePathingSrc
description: Details how the request was classified based on security checks (unknown = no specific classification)
type: string
- name: EdgePathingStatus
description: Indicates what data was used to determine the handling of this request (unknown = no data)
type: string
- name: EdgeRateLimitAction
description: The action taken by the blocking rule; empty if no action taken
type: string
- name: EdgeRateLimitID
description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action taken
type: string
- name: EdgeRequestHost
description: Host header on the request from the edge to the origin
type: string
indicators:
- hostname
- name: EdgeResponseBodyBytes
description: Size of the HTTP response body returned to clients. Available in Logpush v2 only.
type: bigint
- name: EdgeResponseBytes
description: Number of bytes returned by the edge to the client
type: bigint
- name: EdgeResponseCompressionRatio
description: Edge response compression ratio
type: float
- name: EdgeResponseContentType
description: Edge response Content-Type header value
type: string
- name: EdgeResponseStatus
description: HTTP status code returned by Cloudflare to the client
type: smallint
- name: EdgeServerIP
description: IP of the edge server making a request to the origin
type: string
indicators:
- ip
- name: EdgeStartTimestamp
required: true
description: Timestamp at which the edge received request from the client
type: timestamp
timeFormats:
- cloudflare
isEventTime: true
- name: EdgeTimeToFirstByteMs
description: Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2 only.
type: bigint
- name: FirewallMatchesActions
description: Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
type: array
element:
type: string
- name: FirewallMatchesRuleIDs
description: Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
type: array
element:
type: string
- name: FirewallMatchesSources
description: The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
type: array
element:
type: string
- name: JA3Hash
description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available in Logpush v2 only.
type: string
indicators:
- md5
- name: OriginDNSResponseTimeMs
description: Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. Available in Logpush v2 only.
type: bigint
- name: OriginIP
description: IP of the origin server
type: string
indicators:
- ip
- name: OriginRequestHeaderSendDurationMs
description: Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2 only.
type: bigint
- name: OriginResponseBytes
description: Number of bytes returned by the origin server
type: bigint
- name: OriginResponseDurationMs
description: Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2 only.
type: bigint
- name: OriginResponseHeaderReceiveDurationMs
description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2 only.
type: bigint
- name: OriginResponseHTTPExpires
description: Value of the origin 'expires' header in RFC1123 format
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %Z'
- name: OriginResponseHTTPLastModified
description: Value of the origin 'last-modified' header in RFC1123 format
type: timestamp
timeFormats:
- '%a, %d %b %Y %H:%M:%S %Z'
- name: OriginResponseStatus
description: Status returned by the origin server
type: smallint
- name: OriginResponseTime
description: Number of nanoseconds it took the origin to return the response to edge
type: bigint
- name: OriginSSLProtocol
description: SSL (TLS) protocol used to connect to the origin
type: string
- name: OriginTCPHandshakeDurationMs
description: Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
type: bigint
- name: OriginTLSHandshakeDurationMs
description: Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
type: bigint
- name: ParentRayID
description: Ray ID of the parent request if this request was made using a Worker script
type: string
indicators:
- trace_id
- name: RayID
description: ID of the request
type: string
indicators:
- trace_id
- name: RequestHeaders
description: String key-value pairs for RequestHeaders
type: json
- name: ResponseHeaders
description: String key-value pairs for ResponseHeaders
type: json
- name: SecurityAction
description: Rule action of the security rule that triggered a terminating action, if any
type: string
- name: SecurityActions
description: Array of actions that Cloudflare security products performed on this request. The individual security products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
type: array
element:
type: string
- name: SecurityLevel
description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system
type: string
- name: SecurityRuleDescription
description: Rule description of the security rule that triggered a terminating action, if any
type: string
- name: SecurityRuleID
description: Rule ID of the security rule that triggered a terminating action, if any
type: string
- name: SecurityRuleIDs
description: Array of security rule IDs that matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
type: array
element:
type: string
- name: SecuritySources
description: Array of Cloudflare security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
type: array
element:
type: string
- name: SmartRouteColoID
description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only.
type: bigint
- name: UpperTierColoID
description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only.
type: bigint
- name: WAFAction
description: Action taken by the WAF, if triggered
type: string
- name: WAFAttackScore
description: Overall request score generated by the WAF detection module.
type: bigint
- name: WAFFlags
description: 'Additional configuration flags: simulate (0x1) | null'
type: string
- name: WAFMatchedVar
description: The full name of the most-recently matched variable
type: string
- name: WAFProfile
description: low | med | high
type: string
- name: WAFRCEAttackScore
description: WAF score for an RCE attack.
type: bigint
- name: WAFRuleID
description: ID of the applied WAF rule
type: string
- name: WAFRuleMessage
description: Rule message associated with the triggered rule
type: string
- name: WAFSQLiAttackScore
description: WAF score for an SQLi attack.
type: bigint
- name: WAFXSSAttackScore
description: WAF score for an XSS attack.
type: bigint
- name: WorkerCPUTime
description: Amount of time in microseconds spent executing a worker, if any
type: bigint
- name: WorkerStatus
description: Status returned from worker daemon
type: string
- name: WorkerSubrequest
description: Whether or not this request was a worker subrequest
type: boolean
- name: WorkerSubrequestCount
description: Number of subrequests issued by a worker when handling this request
type: bigint
- name: WorkerWallTimeUs
description: Real-time in microseconds elapsed between start and end of worker invocation.
type: bigint
- name: ZoneID
description: Internal zone ID
type: bigint
- name: ZoneName
description: The human-readable name of the zone (e.g. cloudflare.com). Available in Logpush v2 only.
type: string

Cloudflare.Spectrum

When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field, as it is required by Panther.
schema: Cloudflare.Spectrum
description: Cloudflare Spectrum logs. When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#spectrum-events
fields:
- name: Application
description: The unique public ID of the application on which the event occurred
type: string
- name: ClientASN
description: Client AS number
type: bigint
- name: ClientBytes
description: The number of bytes read from the client by the Spectrum service
type: bigint
- name: ClientCountry
description: Country of the client IP address
type: string
- name: ClientIP
description: IP address of the client
type: string
indicators:
- ip
- name: ClientMatchedIpFirewall
description: Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN
type: string
- name: ClientPort
description: Client port
type: int
- name: ClientProto
description: Transport protocol used by client; tcp | udp | unix
type: string
- name: ClientTcpRtt
description: The TCP round-trip time in nanoseconds between the client and Spectrum
type: bigint
- name: ClientTlsCipher
description: The cipher negotiated between the client and Spectrum
type: string
- name: ClientTlsClientHelloServerName
description: The server name in the Client Hello message from client to Spectrum
type: string
- name: ClientTlsProtocol
description: The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
type: string
- name: ClientTlsStatus
description: Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
type: string
- name: ColoCode
description: IATA airport code of data center that received the request
type: string
- name: ConnectTimestamp
description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established
type: timestamp
timeFormats:
- cloudflare
- name: DisconnectTimestamp
description: Timestamp at which the connection was closed
type: timestamp
timeFormats:
- cloudflare
- name: Event
description: connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
type: string
- name: IpFirewall
description: Whether IP Firewall was enabled at time of connection
type: boolean
- name: OriginBytes
description: The number of bytes read from the origin by Spectrum
type: bigint
- name: OriginIP
description: Origin IP address
type: string
indicators:
- ip
- name: OriginPort
description: Origin port
type: int
- name: OriginProto
description: Transport protocol used by origin; tcp | udp | unix
type: string
- name: OriginTcpRtt
description: The TCP round-trip time in nanoseconds between Spectrum and the origin
type: bigint
- name: OriginTlsCipher
description: The cipher negotiated between Spectrum and the origin
type: string
- name: OriginTlsFingerprint
description: SHA256 hash of origin certificate
type: string
- name: OriginTlsMode
description: If and how the upstream connection is encrypted; unknown | off | flexible | full | strict
type: string
- name: OriginTlsProtocol
description: The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
type: string
- name: OriginTlsStatus
description: The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
type: string
- name: ProxyProtocol
description: Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple
type: string
- name: Status
description: A code indicating reason for connection closure
type: bigint
- name: Timestamp
required: true
description: Timestamp at which the event took place
type: timestamp
timeFormats:
- cloudflare
isEventTime: true

Cloudflare.ZeroTrust.RData

The Cloudflare.ZeroTrust.RData schema is in open beta starting with Panther version 1.81, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Cloudflare Zero Trust RData logs are in a Base64-encoded binary format, and this schema transparently decodes them. This schema does not have an event time field, so the p_event_time value will be equivalent to the parsing time.
For more information, see the Cloudflare Zero Trust RData documentation.
schema: Cloudflare.ZeroTrust.RData
description: Cloudflare Zero Trust Rdata schema
referenceURL: https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/rdata/
fields:
- name: QueryName
description: The Query Name
type: string
- name: QueryType
description: The Query Type
type: string
- name: QueryClass
description: The Query Class. Represented in numbers
type: int
- name: ResponseTTL
description: The Response TTL
type: bigint
- name: ResponseData
description: The Response Data
type: string
- name: type
description: The Cloudflare Type outside the ZeroTrust RData envelope
type: string