Cloudflare Integration Guide🔗

The following instructions are for configuring Cloudflare to facilitate log ingestion into Secureworks® Taegis™ XDR. This integration leverages Cloudflare's Logpush to forward logs.

Data Provided from Integration🔗

The following Cloudflare log types are supported by XDR.

Note

Cloudflare event types not listed above are normalized to the generic schema.

	Normalized Data	Out-of-the-Box Detections	Vendor-Specific Detections
Cloudflare	CloudAudit, NIDS, Thirdparty	DNS, HTTP, Netflow

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure Cloudflare Logpush Destinations🔗

XDR supports the following Logpush destinations:

Amazon S3 (Secureworks-Managed)
Amazon S3 (Customer-Managed)
HTTP

Sending Logs to S3 (Secureworks-Managed)🔗

Follow the instructions in the XDR documentation to create a S3 Ingest - Secureworks-Managed (with ownership token challenge) integration.
- Choose the IAM User option and enter arn:aws:iam::391854517948:user/cloudflare-logpush as the IAM User value.
- Make note of the following integration parameters:
  - AccessPointAlias
  - AWSRegion
  - LogsFolderPath
Follow the instructions in the Cloudflare documentation to configure log forwarding to an S3 bucket.

Note

The appropriate S3 bucket access policy is applied by XDR as part of Step 1.

Enter the following fields:
- Bucket — The AccessPointAlias value
- Path — The LogsFolderPath value
- Organize logs into daily subfolders — Enabled
- My policy requires AWS SSE-S3 AES256 Server Side Encryption — Enabled

Cloudflare will send a file to your designated destination to prove S3 bucket ownership. Reload the integration details tab in XDR and copy the OwnershipToken value.

S3 Ownership Token
Enter the token in the Cloudflare dashboard to verify your access to the S3 bucket.

Sending Logs to S3 (Customer-Managed)🔗

Follow the instructions in the Cloudflare documentation to configure log forwarding to an S3 bucket.

Deploy the XDR Lambda Function in Your AWS Environment🔗

Follow all steps in these instructions to deploy the Lambda function that will send Cloudflare logs from your S3 bucket to XDR.

Note

The above instructions reference CloudTrail; however, the mechanism to send logs from S3 to XDR is data source-agnostic. You must follow all steps in the instructions.

Sending Logs to a HTTP Receiver🔗

Follow the instructions in the Cloudflare documentation to configure log forwarding to a HTTP destination.

Log Fields to Send to XDR🔗

Configure Logpush to send the following fields to XDR

Firewall events🔗

Expand to view event fields

Action
ClientASN
ClientASNDescription
ClientCountry
ClientIP
ClientIPClass
ClientRefererHost
ClientRefererPath
ClientRefererQuery
ClientRefererScheme
ClientRequestHost
ClientRequestMethod
ClientRequestPath
ClientRequestProtocol
ClientRequestQuery
ClientRequestScheme
ClientRequestUserAgent
Datetime
Description
EdgeColoCode
EdgeResponseStatus
Kind
MatchIndex
Metadata
OriginResponseStatus
OriginatorRayID
RayID
Ref
RuleID
Source

HTTP requests🔗

Expand to view event fields

ClientASN
ClientCountry
ClientDeviceType
ClientIP
ClientIPClass
ClientRequestBytes
ClientRequestHost
ClientRequestMethod
ClientRequestPath
ClientRequestProtocol
ClientRequestReferer
ClientRequestScheme
ClientRequestSource
ClientRequestURI
ClientRequestUserAgent
ClientSrcPort
EdgeEndTimestamp
EdgeStartTimestamp
EdgeRateLimitAction
EdgeRateLimitID
EdgeRequestHost
EdgeResponseBytes
EdgeResponseContentType
EdgeResponseStatus
EdgeServerIP
SecurityActions
SecurityRuleIDs
SecuritySources
OriginIP
OriginResponseStatus
RayID
RequestHeaders
ResponseHeaders
SecurityLevel
SecurityAction
WAFAttackScore
SecurityRuleID
SecurityRuleDescription
ZoneID
ZoneName

Advanced Search Using the Query Language🔗

Example Query Language Searches🔗

To search for http events from the last 24 hours:

FROM http WHERE sensor_type = 'Cloudflare' and EARLIEST=-24h

To search for netflow events:

FROM netflow WHERE sensor_type = 'Cloudflare'

To search for events from Cloudflare that were Not Blocked:

WHERE sensor_type = 'Cloudflare' AND blocked =  1

To search for nids events for a specific host:

FROM nids WHERE sensor_type = 'Cloudflare' AND @ip = 10.10.10.10

Event Details🔗

Sample Logs🔗

Cloudflare🔗

Feb 22 18:33:31 10.10.10.10 {"CacheCacheStatus":"unknown","CacheResponseBytes":0,"CacheResponseStatus":0,"CacheTieredFill":false,"ClientASN":150,"ClientCountry":"us","ClientDeviceType":"desktop","ClientIP":"192.168.10.10","ClientIPClass":"noRecord","ClientRequestBytes":513,"ClientRequestHost":"host-id.example.com","ClientRequestMethod":"GET","ClientRequestPath":"/test.json","ClientRequestReferer":"","ClientRequestURI":"/test.json","ClientRequestUserAgent":"","ClientSSLCipher":"NONE","ClientSSLProtocol":"none","ClientSrcPort":63166,"EdgeColoCode":"ORD","EdgeColoID":555,"EdgeEndTimestamp":1708625184893000000,"EdgePathingOp":"wl","EdgePathingSrc":"macro","EdgePathingStatus":"nr","EdgeRateLimitAction":"","EdgeRateLimitID":0,"EdgeRequestHost":"","EdgeResponseBytes":4951,"EdgeResponseCompressionRatio":1,"EdgeResponseContentType":"text/html","EdgeResponseStatus":403,"EdgeServerIP":"","EdgeStartTimestamp":1708625184882000000,"FirewallMatchesActions":["block"],"FirewallMatchesRuleIDs":["111038"],"FirewallMatchesSources":["waf"],"OriginIP":"","OriginResponseHTTPExpires":"","OriginResponseHTTPLastModified":"","OriginResponseStatus":0,"OriginResponseTime":0,"OriginSSLProtocol":"unknown","ParentRayID":"00","RayID":"8888888888888888","SecurityLevel":"med","WAFAction":"drop","WAFFlags":"0","WAFMatchedVar":"","WAFProfile":"med","WAFRuleID":"111038","WAFRuleMessage":"Information Disclosure - Common Files","WorkerCPUTime":0,"WorkerStatus":"unknown","WorkerSubrequest":false,"WorkerSubrequestCount":0,"ZoneID":143666688}