Cloudflare
Copy link

SIEM (InsightIDR) can now parse logs from Cloudflare. The Cloudflare event source has been set up to use an Amazon S3 bucket. Using your own Amazon S3 bucket, you can now send logs to this bucket using Cloudflare’s Logpush  mechanism. Our collectors will then consume the logs from this bucket before pushing them to IDR to be parsed.

Initially, SIEM (InsightIDR) will ingest Cloudflare logs and add them to the “Raw Logs” Logset. View an example of Cloudflare logs, in the log example section of this topic.

To set up Cloudflare, you’ll need to:

  1. Review the Requirements
  2. Set up Cloudflare in SIEM (InsightIDR)
  3. Verify the Configuration

We also provide Log Examples.

Review the Requirements
Copy link

In order to configure Cloudflare to send data to SIEM (InsightIDR), you must configure the AWS S3 Bucket to send messages to SIEM (InsightIDR). You will need access to the Logpush API which is currently only available to the Enterprise tier of Cloudflare. From this point you will need to configure an Amazon S3 destination  either through the Cloudflare dashboard or API. Once you see log files appearing in the S3 bucket, you’ll be able to set up the event source in SIEM (InsightIDR).

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cloudflare in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  3. Select the Cloudflare event source tile.
  4. Choose your collector and select Cloudflare as your event source. You also have the option to name your event source.
  5. If you are sending additional events beyond alerts, select the unfiltered logs checkbox.
  6. Specify the authentication and path information for the S3 bucket that was created by Cloudflare.
  7. Click Save.

Verify the Configuration
Copy link

Complete these steps to view your logs and ensure events are being sent to the Collector.

  1. On the new event source that was just created, click View Raw Log. If you see log messages in the box, this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or Cloudflare if you did not name the event source. Cloudflare logs flow into the Raw Logs log set.

Log Example
Copy link

{
  "Datetime": "2022-08-15T01:40:59Z",
  "Action": "allow",
  "Kind": "firewall",
  "Source": "firewallrules",
  "ClientIP": "123.123.123.123",
  "ClientASNDescription": "R7-RAPID7",
  "ClientIPClass": "noRecord",
  "ClientCountry": "us",
  "ClientASN": 14618,
  "ClientRequestMethod": "GET",
  "ClientRequestUserAgent": "Rapid7 - Mobile",
  "ClientRequestPath": "/client/request/path/",
  "ClientRequestQuery": "?key=value",
  "ClientRequestScheme": "https",
  "ClientRequestHost": "www.rapid7.com",
  "ClientRefererHost": "www.rapid7.com",
  "ClientRefererPath": "/client/reference/path/",
  "ClientRefererQuery": "",
  "ClientRefererScheme": "https",
  "EdgeColoCode": "IAD",
  "EdgeResponseStatus": 200,
  "RuleID": "e8d36d34b4ed4b718acfdfeb30f64b2b",
  "MessageRule": "",
  "OriginatorRayID": "00",
  "RayID": "73ae39ad9c3182e6",
  "MatchIndex": 0
}