Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Cloudflare Integration Guide

integrations cloudflare sse

The following instructions are for configuring Cloudflare to facilitate log ingestion into Secureworks® Taegis™ XDR. This integration leverages Cloudflare's Logpush to send logs to your AWS S3 bucket.

Data Provided from Integration

The following Cloudflare event types are supported by XDR.


Cloudflare event types not listed above are normalized to the generic schema.

  Antivirus Auth DHCP DNS Email Encrypt Filemod HTTP Management Netflow NIDS Process Thirdparty
Cloudflare               D   D Y    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Cloudflare Logpush to Send Logs to S3

Follow the instructions in the Cloudflare documentation to configure log forwarding to an S3 bucket.

Deploy the XDR Lambda Function in Your AWS Environment

Follow all steps in these instructions to deploy the Lambda function that will send Cloudflare logs from your S3 bucket to XDR.


The above instructions reference CloudTrail; however, the mechanism to send logs from S3 to XDR are data source-agnostic. You must follow all steps in the instructions.

Advanced Search Using the Query Language

Example Query Language Searches

To search for http events from the last 24 hours:

FROM http WHERE sensor_type = 'Cloudflare' and EARLIEST=-24h

To search for netflow events:

FROM netflow WHERE sensor_type = 'Cloudflare'

To search for events from Cloudflare that were Not Blocked:

WHERE sensor_type = 'Cloudflare' AND blocked =  1

To search for nids events for a specific host:

FROM nids WHERE sensor_type = 'Cloudflare' AND @ip =

Event Details

Cloudflare Event Details

Cloudflare Event Details

Sample Logs


Feb 22 18:33:31 {"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":150,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"","ClientIPClass":"noRecord","ClientRequestBytes":513,"ClientRequestHost":"host-id.example.com","ClientRequestMethod":"GET","ClientRequestPath":"/test.json","ClientRequestReferer":"","ClientRequestURI":"/test.json","ClientRequestUserAgent":"","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":63166,"EdgeColoCode":"ORD","EdgeColoID":555,"EdgeEndTimestamp":1708625184893000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":4951,"EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1708625184882000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["111038"],"FirewallMatchesSources":["waf"],"OriginIP":"","OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"8888888888888888","SecurityLevel":"med","WAFAction":"drop","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"med","WAFRuleID":"111038","WAFRuleMessage":"Information Disclosure - Common Files","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":143666688}


On this page: