Cloudflare Integration Guide
The following instructions are for configuring Cloudflare to facilitate log ingestion into Secureworks® Taegis™ XDR. This integration leverages Cloudflare's Logpush to send logs to your AWS S3 bucket.
Data Provided from Integration ⫘
The following Cloudflare event types are supported by XDR.
- Firewall
- HTTP
Note
Cloudflare event types not listed above are normalized to the generic
schema.
Antivirus | Auth | DHCP | DNS | Encrypt | Filemod | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cloudflare | D | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Cloudflare Logpush to Send Logs to S3 ⫘
Follow the instructions in the Cloudflare documentation to configure log forwarding to an S3 bucket.
Deploy the XDR Lambda Function in Your AWS Environment ⫘
Follow all steps in these instructions to deploy the Lambda function that will send Cloudflare logs from your S3 bucket to XDR.
Note
The above instructions reference CloudTrail; however, the mechanism to send logs from S3 to XDR are data source-agnostic. You must follow all steps in the instructions.
Advanced Search Using the Query Language ⫘
Example Query Language Searches ⫘
To search for http
events from the last 24 hours:
FROM http WHERE sensor_type = 'Cloudflare' and EARLIEST=-24h
To search for netflow
events:
FROM netflow WHERE sensor_type = 'Cloudflare'
To search for events from Cloudflare that were Not Blocked:
WHERE sensor_type = 'Cloudflare' AND blocked = 1
To search for nids
events for a specific host:
FROM nids WHERE sensor_type = 'Cloudflare' AND @ip = 10.10.10.10
Event Details ⫘
Cloudflare Event Details
Sample Logs ⫘
Cloudflare ⫘
Feb 22 18:33:31 10.10.10.10 {"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":150,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"192.168.10.10","ClientIPClass":"noRecord","ClientRequestBytes":513,"ClientRequestHost":"host-id.example.com","ClientRequestMethod":"GET","ClientRequestPath":"/test.json","ClientRequestReferer":"","ClientRequestURI":"/test.json","ClientRequestUserAgent":"","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":63166,"EdgeColoCode":"ORD","EdgeColoID":555,"EdgeEndTimestamp":1708625184893000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":4951,"EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1708625184882000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["111038"],"FirewallMatchesSources":["waf"],"OriginIP":"","OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"8888888888888888","SecurityLevel":"med","WAFAction":"drop","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"med","WAFRuleID":"111038","WAFRuleMessage":"Information Disclosure - Common Files","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":143666688}