Cloudflare Logs
Connecting Cloudfare logs to your Panther Console

Overview

Panther supports ingesting Cloudfare logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.

How to onboard Cloudfare logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure Cloudflare to push logs to the Data Transport source.
    • See Cloudflare's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in all tables are in bold.

Cloudflare.Firewall

When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field, as it is required by Panther.
Column
Type
Description
Action
string
The code of the first-class action the Cloudflare Firewall took on this request
ClientASN
bigint
The ASN number of the visitor
ClientASNDescription
string
The ASN of the visitor as string
ClientCountry
string
Country from which request originated
ClientIP
string
The visitor's IP address (IPv4 or IPv6)
ClientIPClass
string
The classification of the visitor's IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor
ClientRefererHost
string
The referer host
ClientRefererPath
string
The referer path requested by visitor
ClientRefererQuery
string
The referer query-string was requested by the visitor
ClientRefererScheme
string
The referer url scheme requested by the visitor
ClientRequestHost
string
The HTTP hostname requested by the visitor
ClientRequestMethod
string
The HTTP method used by the visitor
ClientRequestPath
string
The path requested by visitor
ClientRequestProtocol
string
The version of HTTP protocol requested by the visitor
ClientRequestQuery
string
The query-string was requested by the visitor
ClientRequestScheme
string
The url scheme requested by the visitor
ClientRequestUserAgent
string
Visitor's user-agent string
Datetime
timestamp
The date and time the event occurred at the edge
EdgeColoCode
string
The airport code of the Cloudflare datacenter that served this request

Cloudflare.HttpRequest

When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field, as it is required by Panther.
Column
Type
Description
BotScore
bigint
Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)
BotScoreSrc
string
Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
CacheCacheStatus
string
unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated
CacheResponseBytes
bigint
Number of bytes returned by the cache
CacheResponseStatus
smallint
HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
CacheTieredFill
boolean
Tiered Cache was used to serve this request
ClientASN
bigint
Client AS number
ClientCountry
string
Country of the client IP address
ClientDeviceType
string
Client device type
ClientIP
string
IP address of the client
ClientIPClass
string
unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
ClientRequestBytes
bigint
Number of bytes in the client request
ClientRequestHost
string
Host requested by the client
ClientRequestMethod
string
HTTP method of client request
ClientRequestPath
string
URI path requested by the client
ClientRequestProtocol
string
HTTP protocol of client request
ClientRequestReferer
string
HTTP request referrer
ClientRequestURI
string
URI requested by the client
ClientRequestUserAgent
string
User agent reported by the client

Cloudflare.Spectrum

When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field, as it is required by Panther.
Column
Type
Description
Application
string
The unique public ID of the application on which the event occurred
ClientASN
bigint
Client AS number
ClientBytes
bigint
The number of bytes read from the client by the Spectrum service
ClientCountry
string
Country of the client IP address
ClientIP
string
IP address of the client
ClientMatchedIpFirewall
string
Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN
ClientPort
int
Client port
ClientProto
string
Transport protocol used by client; tcp | udp | unix
ClientTcpRtt
bigint
The TCP round-trip time in nanoseconds between the client and Spectrum
ClientTlsCipher
string
The cipher negotiated between the client and Spectrum
ClientTlsClientHelloServerName
string
The server name in the Client Hello message from client to Spectrum
ClientTlsProtocol
string
The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
ClientTlsStatus
string
Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
ColoCode
string
IATA airport code of data center that received the request
ConnectTimestamp
timestamp
Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established
DisconnectTimestamp
timestamp
Timestamp at which the connection was closed
Event
string
connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
IpFirewall
boolean
Whether IP Firewall was enabled at time of connection
OriginBytes
bigint
The number of bytes read from the origin by Spectrum