Cloudflare Logs

Connecting Cloudfare logs to your Panther Console

Overview

Panther supports ingesting Cloudflare logs via Cloudflare's Logpush service, which streams logs directly to an HTTP Source, or to Amazon Web Services (AWS) S3.

Note that Cloudflare's Logpush is available to Cloudflare Enterprise customers only. While some Cloudflare log types on this page (e.g., Audit logs) may be pulled without Logpush, Panther's supported schemas rely on the data structure when delivered by Logpush.

How to onboard Cloudflare logs to Panther

You can ingest Cloudflare logs into Panther by streaming them to either an HTTP source or a S3 source.

Step 1: Create an HTTP Source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Cloudflare," then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- You will be required to use shared secret authentication. This is the only method of authentication Cloudflare supports.
- The Header Name associated with your Secret Key Value will be locked with a value of x-panther-cloudflare.

Step 2: Configure a Logpush job in Cloudflare

Locate your Cloudflare account ID. by navigating to your Cloudflare dashboard and copying the ID from the URL.
Create a Cloudflare API token by following Cloudflare's Create an API token documentation.
- Ensure the token has the All accounts - Logs: Edit permission.
- Save the API token for the following step.

Create a Logpush job in Cloudflare by invoking the API, as is shown in the curl example below.

curl -X POST "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/logpush/jobs" \
    -H "Authorization: Bearer {YOUR_API_TOKEN}" \
    -H "Content-Type:application/json" \
    -d '{
     "enabled": true,
     "name": "my_cloudflare_audit_logs",
     "dataset": "audit_logs",
     "destination_conf": "{LOG_SOURCE_URL}?header_x-panther-cloudflare={SHARED_SECRET}"
     }'

See additional information on setting up a Logpush job on Cloudflare's Enable HTTP destination documentation.

Navigate back to your Cloudflare dashboard to finish the Logpush job configuration.
1. In the left-hand navigation bar, under Analytics & Logs, click Logs.
2. In the Logpush job table, find the row for the Logpush job you created in the previous step, and click Edit.
3. Select the fields you would like Cloudflare to include in the audit log events sent to your HTTP Source. (By default, Cloudflare only includes a subset of all available fields.)
4. Click Save changes.

Prerequisites

Create a new S3 bucket in your AWS account.
- We recommend creating a new S3 bucket specifically for Cloudflare logs. You can use the default settings.
- Please note the region that you are creating it in, as you will need to provide it to Cloudflare.

Step 1: Set up the S3 bucket source in Panther

Follow Panther’s documentation for configuring AWS S3 as a Data Transport.

Step 2: Configure Logpush to stream logs to S3

When choosing the dataset type for your Logpush job, note that Cloudflare has options for Account-scoped data and Zone-scoped data. Audit logs are Account-scoped, whereas Firewall, HttpRequest, and Spectrum are Zone-scoped. The screen shots in this guide demonstrate how to configure Audit logs.

Navigate to your Cloudflare dashboard, then go to Analytics > Logs.
Click Add Logpush job next to the dataset type you want to set up.
Click Select on the dataset you want to choose.
Scroll down and click Next.
Select the fields that you want to include. We recommend that you click the checkbox to select "All fields."
- ID, ResourceType, and When are included by default and are required by Panther. Do not unselect these fields.
Click Next.
Under "Select a destination," locate the Amazon S3 tile and click Select.
Scroll down and click Next.
Configure the destination fields:
- Bucket path: Enter the name of the S3 bucket you created earlier in this documentation.
- Daily subfolders: Choose Yes if you want to organize logs into daily subfolders.
- Bucket region: Select the region that you created your S3 bucket in.
  - To verify the region, navigate to your S3 bucket's Properties.
- Encryption constraint in bucket policy: Set to "Yes" if you enabled SSE encryption on your S3 bucket.
- In the Grant Cloudflare access to upload files to your bucket section, copy the IAM policy that Cloudflare is providing.
  - You will need this in the next steps to give Cloudflare access to put objects in your bucket.
In a separate browser tab, navigate to your AWS account and go to the S3 bucket settings.
At the top of the page, click the Permissions tab.
Scroll down to the Bucket policy section. On the right side of the tile, click Edit. In the text editor, paste the bucket policy you copied from the earlier steps.
Click Save.
Navigate back to the Cloudflare dashboard, and click Validate Access.
- From here, Cloudflare will write an object to your S3 bucket which will contain an ownership challenge that you must provide back to Cloudflare in the next steps.
Navigate back to your S3 bucket in AWS.
Find and download the ownership challenge file, then open it.
Copy the contents of the ownership challenge file. You will need this in the next steps.
Navigate back to your Cloudflare dashboard. In the Ownership token field, paste in the contents of the ownership challenge file.
Click Save.

Additionally, see Cloudflare's documentation for instructions on pushing logs to Amazon S3.

Panther-built Detections

See Panther's built in rules for Cloudflare in panther-analysis in Github.

Supported log types

Cloudflare.Audit

When selecting event fields on the Cloudflare UI, make sure you include the When, ID, and ResourceType fields, as they are required by Panther.

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: Cloudflare.Audit
parser:
  native:
    name: Cloudflare.Audit
description: Audit logs summarize the history of changes made within your Cloudflare account. Audit logs include account level actions like login and logout, as well as zone configuration changes.
referenceURL: https://developers.cloudflare.com/logs/reference/log-fields/account/audit_logs
fields:
  - name: ActionResult
    description: Whether the action was successful
    type: boolean
  - name: ActionType
    description: Type of action taken
    type: string
  - name: ActorEmail
    description: Email of the actor
    type: string
    indicators:
      - email
  - name: ActorID
    description: Unique identifier of the actor in Cloudflare's system
    type: string
    indicators:
      - username
  - name: ActorIP
    description: Physical network address of the actor
    type: string
    indicators:
      - ip
  - name: ActorType
    description: Type of user that started the audit trail
    type: string
  - name: ID
    required: true
    description: Unique identifier of an audit log
    type: string
  - name: Interface
    description: Entry point or interface of the audit log
    type: string
  - name: Metadata
    description: Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
    type: json
  - name: NewValue
    description: Contains the new value for the audited item
    type: json
  - name: OldValue
    description: Contains the old value for the audited item
    type: json
  - name: OwnerID
    description: The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
    type: string
    indicators:
      - username
  - name: ResourceID
    description: Unique identifier of the resource within Cloudflares system
    type: string
  - name: ResourceType
    required: true
    description: The type of resource that was changed
    type: string
  - name: When
    required: true
    description: When the change happened
    type: timestamp
    timeFormats:
      - cloudflare
    isEventTime: true

Cloudflare.Firewall

When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Firewalls.

schema: Cloudflare.Firewall
description: Cloudflare Firewall logs. When selecting event fields on the Cloudflare UI, make sure you include the "Datetime" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#firewall-events
fields:
    - name: Action
      description: The code of the first-class action the Cloudflare Firewall took on this request
      type: string
    - name: ClientASN
      description: The ASN number of the visitor
      type: bigint
    - name: ClientASNDescription
      description: The ASN of the visitor as string
      type: string
    - name: ClientCountry
      description: Country from which request originated
      type: string
    - name: ClientIP
      description: The visitor's IP address (IPv4 or IPv6)
      type: string
      indicators:
        - ip
    - name: ClientIPClass
      description: 'The classification of the visitor''s IP address, possible values are: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService |securityScanner | noRecord | scan | backupService | mobilePlatform | tor'
      type: string
    - name: ClientRefererHost
      description: The referer host
      type: string
      indicators:
        - hostname
    - name: ClientRefererPath
      description: The referer path requested by visitor
      type: string
    - name: ClientRefererQuery
      description: The referer query-string was requested by the visitor
      type: string
    - name: ClientRefererScheme
      description: The referer url scheme requested by the visitor
      type: string
    - name: ClientRequestHost
      description: The HTTP hostname requested by the visitor
      type: string
      indicators:
        - hostname
    - name: ClientRequestMethod
      description: The HTTP method used by the visitor
      type: string
    - name: ClientRequestPath
      description: The path requested by visitor
      type: string
    - name: ClientRequestProtocol
      description: The version of HTTP protocol requested by the visitor
      type: string
    - name: ClientRequestQuery
      description: The query-string was requested by the visitor
      type: string
    - name: ClientRequestScheme
      description: The url scheme requested by the visitor
      type: string
    - name: ClientRequestUserAgent
      description: Visitor's user-agent string
      type: string
    - name: Datetime
      required: true
      description: The date and time the event occurred at the edge
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true
    - name: Description
      description: Rule description for this event
      type: string
    - name: EdgeColoCode
      description: The airport code of the Cloudflare datacenter that served this request
      type: string
    - name: EdgeResponseStatus
      description: HTTP response status code returned to browser
      type: smallint
    - name: Kind
      description: 'The kind of event, currently only possible values are: firewall'
      type: string
    - name: MatchIndex
      description: Rules match index in the chain
      type: bigint
    - name: Metadata
      description: Additional product-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by Cloudflare security product and can change over time
      type: json
    - name: OriginResponseStatus
      description: HTTP origin response status code returned to browser
      type: smallint
    - name: OriginatorRayID
      description: The RayID of the request that issued the challenge/jschallenge
      type: string
      indicators:
        - trace_id
    - name: RayID
      description: The RayID of the request
      type: string
      indicators:
        - trace_id
    - name: Ref
      description: User-defined rule reference for this event
      type: string
    - name: RuleID
      description: The Cloudflare security product-specific RuleID triggered by this request
      type: string
    - name: Source
      description: The Cloudflare security product triggered by this request
      type: string

Cloudflare.HttpRequest

When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Requests.

schema: Cloudflare.HttpRequest
description: Cloudflare http request logs. When selecting event fields on the Cloudflare UI, make sure you include the "EdgeStartTimestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#http-requests
fields:
    - name: BotDetectionIDs
      description: List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only.
      type: array
      element:
        type: bigint
    - name: BotScore
      description: Cloudflare Bot Score (available for Bot Management customers; please contact your account team to enable)
      type: bigint
    - name: BotScoreSrc
      description: Underlying detection engine or source on where a Bot Score is calculated. Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot
      type: string
    - name: BotTags
      description: Type of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available in Logpush v2 only.
      type: array
      element:
        type: string
    - name: CacheCacheStatus
      description: unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated
      type: string
    - name: CacheReserveUsed
      description: Cache Reserve was used to serve this request. Available in Logpush v2 only.
      type: boolean
    - name: CacheResponseBytes
      description: Number of bytes returned by the cache
      type: bigint
    - name: CacheResponseStatus
      description: HTTP status code returned by the cache to the edge; all requests (including non-cacheable ones) go through the cache; also see CacheStatus field
      type: smallint
    - name: CacheTieredFill
      description: Tiered Cache was used to serve this request
      type: boolean
    - name: ClientASN
      description: Client AS number
      type: bigint
    - name: ClientCountry
      description: Country of the client IP address
      type: string
    - name: ClientDeviceType
      description: Client device type
      type: string
    - name: ClientIP
      description: IP address of the client
      type: string
      indicators:
        - ip
    - name: ClientIPClass
      description: unknown | clean | badHost | searchEngine | whitelist | greylist | monitoringService | securityScanner | noRecord | scan |backupService | mobilePlatform | tor
      type: string
    - name: ClientMTLSAuthCertFingerprint
      description: The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
      type: string
      indicators:
        - sha256
    - name: ClientMTLSAuthStatus
      description: The status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only. Possible values are unknown | ok | absent | untrusted | notyetvalid | expired
      type: string
    - name: ClientRegionCode
      description: The ISO-3166-2 region code of the client IP address.
      type: string
    - name: ClientRequestBytes
      description: Number of bytes in the client request
      type: bigint
    - name: ClientRequestHost
      description: Host requested by the client
      type: string
      indicators:
        - hostname
    - name: ClientRequestMethod
      description: HTTP method of client request
      type: string
    - name: ClientRequestPath
      description: URI path requested by the client
      type: string
    - name: ClientRequestProtocol
      description: HTTP protocol of client request
      type: string
    - name: ClientRequestReferer
      description: HTTP request referrer
      type: string
      indicators:
        - hostname
    - name: ClientRequestScheme
      description: The URL scheme requested by the visitor. Available in Logpush v2 only.
      type: string
      indicators:
        - hostname
    - name: ClientRequestSource
      description: Identifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values. Available in Logpush v2 only.
      type: string
      indicators:
        - hostname
    - name: ClientRequestURI
      description: URI requested by the client
      type: string
    - name: ClientRequestUserAgent
      description: User agent reported by the client
      type: string
    - name: ClientSrcPort
      description: Client source port
      type: int
    - name: ClientSSLCipher
      description: Client SSL cipher
      type: string
    - name: ClientSSLProtocol
      description: Client SSL (TLS) protocol
      type: string
    - name: ClientTCPRTTMs
      description: The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2 only.
      type: bigint
    - name: ClientXRequestedWith
      description: X-Requested-With HTTP header
      type: string
    - name: ContentScanObjResults
      description: List of content scan results.
      type: array
      element:
        type: string
    - name: ContentScanObjTypes
      description: List of content types.
      type: array
      element:
        type: string
    - name: Cookies
      description: String key-value pairs for Cookies.
      type: json
    - name: EdgeCFConnectingO2O
      description: True if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.
      type: boolean
    - name: EdgeColoCode
      description: IATA airport code of data center that received the request
      type: string
    - name: EdgeColoID
      description: Cloudflare edge colo id
      type: bigint
    - name: EdgeEndTimestamp
      description: Timestamp at which the edge finished sending response to the client
      type: timestamp
      timeFormats:
        - cloudflare
    - name: EdgePathingOp
      description: Indicates what type of response was issued for this request (unknown = no specific action)
      type: string
    - name: EdgePathingSrc
      description: Details how the request was classified based on security checks (unknown = no specific classification)
      type: string
    - name: EdgePathingStatus
      description: Indicates what data was used to determine the handling of this request (unknown = no data)
      type: string
    - name: EdgeRateLimitAction
      description: The action taken by the blocking rule; empty if no action taken
      type: string
    - name: EdgeRateLimitID
      description: The internal rule ID of the rate-limiting rule that triggered a block (ban) or simulate action. 0 if no action taken
      type: string
    - name: EdgeRequestHost
      description: Host header on the request from the edge to the origin
      type: string
      indicators:
        - hostname
    - name: EdgeResponseBodyBytes
      description: Size of the HTTP response body returned to clients. Available in Logpush v2 only.
      type: bigint
    - name: EdgeResponseBytes
      description: Number of bytes returned by the edge to the client
      type: bigint
    - name: EdgeResponseCompressionRatio
      description: Edge response compression ratio
      type: float
    - name: EdgeResponseContentType
      description: Edge response Content-Type header value
      type: string
    - name: EdgeResponseStatus
      description: HTTP status code returned by Cloudflare to the client
      type: smallint
    - name: EdgeServerIP
      description: IP of the edge server making a request to the origin
      type: string
      indicators:
        - ip
    - name: EdgeStartTimestamp
      required: true
      description: Timestamp at which the edge received request from the client
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true
    - name: EdgeTimeToFirstByteMs
      description: Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2 only.
      type: bigint
    - name: FirewallMatchesActions
      description: Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
      type: array
      element:
        type: string
    - name: FirewallMatchesRuleIDs
      description: Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
      type: array
      element:
        type: string
    - name: FirewallMatchesSources
      description: The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
      type: array
      element:
        type: string
    - name: JA3Hash
      description: The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available in Logpush v2 only.
      type: string
      indicators:
        - md5
    - name: OriginDNSResponseTimeMs
      description: Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. Available in Logpush v2 only.
      type: bigint
    - name: OriginIP
      description: IP of the origin server
      type: string
      indicators:
        - ip
    - name: OriginRequestHeaderSendDurationMs
      description: Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseBytes
      description: Number of bytes returned by the origin server
      type: bigint
    - name: OriginResponseDurationMs
      description: Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseHeaderReceiveDurationMs
      description: Time taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2 only.
      type: bigint
    - name: OriginResponseHTTPExpires
      description: Value of the origin 'expires' header in RFC1123 format
      type: timestamp
      timeFormats:
        - '%a, %d %b %Y %H:%M:%S %Z'
    - name: OriginResponseHTTPLastModified
      description: Value of the origin 'last-modified' header in RFC1123 format
      type: timestamp
      timeFormats:
        - '%a, %d %b %Y %H:%M:%S %Z'
    - name: OriginResponseStatus
      description: Status returned by the origin server
      type: smallint
    - name: OriginResponseTime
      description: Number of nanoseconds it took the origin to return the response to edge
      type: bigint
    - name: OriginSSLProtocol
      description: SSL (TLS) protocol used to connect to the origin
      type: string
    - name: OriginTCPHandshakeDurationMs
      description: Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
      type: bigint
    - name: OriginTLSHandshakeDurationMs
      description: Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.
      type: bigint
    - name: ParentRayID
      description: Ray ID of the parent request if this request was made using a Worker script
      type: string
      indicators:
        - trace_id
    - name: RayID
      description: ID of the request
      type: string
      indicators:
        - trace_id
    - name: RequestHeaders
      description: String key-value pairs for RequestHeaders
      type: json
    - name: ResponseHeaders
      description: String key-value pairs for ResponseHeaders
      type: json
    - name: SecurityAction
      description: Rule action of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityActions
      description: Array of actions that Cloudflare security products performed on this request. The individual security products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources. Possible actions are allow | log | simulate | drop | challenge | jschallenge | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass
      type: array
      element:
        type: string
    - name: SecurityLevel
      description: The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system
      type: string
    - name: SecurityRuleDescription
      description: Rule description of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityRuleID
      description: Rule ID of the security rule that triggered a terminating action, if any
      type: string
    - name: SecurityRuleIDs
      description: Array of security rule IDs that matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.
      type: array
      element:
        type: string
    - name: SecuritySources
      description: Array of Cloudflare security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Possible sources are asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit |bic | hot | l7ddos | sanitycheck | protect
      type: array
      element:
        type: string
    - name: SmartRouteColoID
      description: The Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only.
      type: bigint
    - name: UpperTierColoID
      description: The “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only.
      type: bigint
    - name: WAFAction
      description: Action taken by the WAF, if triggered
      type: string
    - name: WAFAttackScore
      description: Overall request score generated by the WAF detection module.
      type: bigint
    - name: WAFFlags
      description: 'Additional configuration flags: simulate (0x1) | null'
      type: string
    - name: WAFMatchedVar
      description: The full name of the most-recently matched variable
      type: string
    - name: WAFProfile
      description: low | med | high
      type: string
    - name: WAFRCEAttackScore
      description: WAF score for an RCE attack.
      type: bigint
    - name: WAFRuleID
      description: ID of the applied WAF rule
      type: string
    - name: WAFRuleMessage
      description: Rule message associated with the triggered rule
      type: string
    - name: WAFSQLiAttackScore
      description: WAF score for an SQLi attack.
      type: bigint
    - name: WAFXSSAttackScore
      description: WAF score for an XSS attack.
      type: bigint
    - name: WorkerCPUTime
      description: Amount of time in microseconds spent executing a worker, if any
      type: bigint
    - name: WorkerStatus
      description: Status returned from worker daemon
      type: string
    - name: WorkerSubrequest
      description: Whether or not this request was a worker subrequest
      type: boolean
    - name: WorkerSubrequestCount
      description: Number of subrequests issued by a worker when handling this request
      type: bigint
    - name: WorkerWallTimeUs
      description: Real-time in microseconds elapsed between start and end of worker invocation.
      type: bigint
    - name: ZoneID
      description: Internal zone ID
      type: bigint
    - name: ZoneName
      description: The human-readable name of the zone (e.g. cloudflare.com). Available in Logpush v2 only.
      type: string

Cloudflare.Spectrum

When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field, as it is required by Panther.

Reference: Cloudfare Documentation on Log Field Spectrum Events.

schema: Cloudflare.Spectrum
description: Cloudflare Spectrum logs. When selecting event fields on the Cloudflare UI, make sure you include the "Timestamp" field as it is required by Panther.
referenceURL: https://developers.cloudflare.com/logs/log-fields#spectrum-events
fields:
    - name: Application
      description: The unique public ID of the application on which the event occurred
      type: string
    - name: ClientASN
      description: Client AS number
      type: bigint
    - name: ClientBytes
      description: The number of bytes read from the client by the Spectrum service
      type: bigint
    - name: ClientCountry
      description: Country of the client IP address
      type: string
    - name: ClientIP
      description: IP address of the client
      type: string
      indicators:
        - ip
    - name: ClientMatchedIpFirewall
      description: Whether the connection matched any IP Firewall rules; UNKNOWN | ALLOW | BLOCK_ERROR | BLOCK_IP | BLOCK_COUNTRY | BLOCK_ASN | WHITELIST_IP |WHITELIST_COUNTRY | WHITELIST_ASN
      type: string
    - name: ClientPort
      description: Client port
      type: int
    - name: ClientProto
      description: Transport protocol used by client; tcp | udp | unix
      type: string
    - name: ClientTcpRtt
      description: The TCP round-trip time in nanoseconds between the client and Spectrum
      type: bigint
    - name: ClientTlsCipher
      description: The cipher negotiated between the client and Spectrum
      type: string
    - name: ClientTlsClientHelloServerName
      description: The server name in the Client Hello message from client to Spectrum
      type: string
    - name: ClientTlsProtocol
      description: The TLS version negotiated between the client and Spectrum; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
      type: string
    - name: ClientTlsStatus
      description: Indicates state of TLS session from the client to Spectrum; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
      type: string
    - name: ColoCode
      description: IATA airport code of data center that received the request
      type: string
    - name: ConnectTimestamp
      description: Timestamp at which both legs of the connection (client/edge, edge/origin or nexthop) were established
      type: timestamp
      timeFormats:
        - cloudflare
    - name: DisconnectTimestamp
      description: Timestamp at which the connection was closed
      type: timestamp
      timeFormats:
        - cloudflare
    - name: Event
      description: connect | disconnect | clientFiltered | tlsError | resolveOrigin | originError
      type: string
    - name: IpFirewall
      description: Whether IP Firewall was enabled at time of connection
      type: boolean
    - name: OriginBytes
      description: The number of bytes read from the origin by Spectrum
      type: bigint
    - name: OriginIP
      description: Origin IP address
      type: string
      indicators:
        - ip
    - name: OriginPort
      description: Origin port
      type: int
    - name: OriginProto
      description: Transport protocol used by origin; tcp | udp | unix
      type: string
    - name: OriginTcpRtt
      description: The TCP round-trip time in nanoseconds between Spectrum and the origin
      type: bigint
    - name: OriginTlsCipher
      description: The cipher negotiated between Spectrum and the origin
      type: string
    - name: OriginTlsFingerprint
      description: SHA256 hash of origin certificate
      type: string
    - name: OriginTlsMode
      description: If and how the upstream connection is encrypted; unknown | off | flexible | full | strict
      type: string
    - name: OriginTlsProtocol
      description: The TLS version negotiated between Spectrum and the origin; unknown | none | SSLv3 | TLSv1 | TLSv1.1 | TLSv1.2 | TLSv1.3
      type: string
    - name: OriginTlsStatus
      description: The state of the TLS session from Spectrum to the origin; UNKNOWN | OK | INTERNAL_ERROR | INVALID_CONFIG | INVALID_SNI | HANDSHAKE_FAILED | KEYLESS_RPC
      type: string
    - name: ProxyProtocol
      description: Which form of proxy protocol is applied to the given connection; off | v1 | v2 | simple
      type: string
    - name: Status
      description: A code indicating reason for connection closure
      type: bigint
    - name: Timestamp
      required: true
      description: Timestamp at which the event took place
      type: timestamp
      timeFormats:
        - cloudflare
      isEventTime: true

Cloudflare.ZeroTrust.RData

The Cloudflare.ZeroTrust.RData schema is in open beta starting with Panther version 1.81, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Cloudflare Zero Trust RData logs are in a Base64-encoded binary format, and this schema transparently decodes them. This schema does not have an event time field, so the p_event_time value will be equivalent to the parsing time.

For more information, see the Cloudflare Zero Trust RData documentation.

schema: Cloudflare.ZeroTrust.RData
description: Cloudflare Zero Trust Rdata schema
referenceURL: https://developers.cloudflare.com/cloudflare-one/insights/logs/logpush/rdata/
fields:
  - name: QueryName
    description: The Query Name
    type: string
  - name: QueryType
    description: The Query Type
    type: string
  - name: QueryClass
    description: The Query Class. Represented in numbers
    type: int
  - name: ResponseTTL
    description: The Response TTL
    type: bigint
  - name: ResponseData
    description: The Response Data
    type: string
  - name: type
    description: The Cloudflare Type outside the ZeroTrust RData envelope
    type: string

PreviousCisco Umbrella Logs NextCrowdStrike Logs

Last updated 2 years ago

Was this helpful?