Cloudflare
Copy link

SIEM (InsightIDR) ingests logs from Cloudflare and adds them to the Raw Logs log set. Using your own Amazon S3 bucket, you can send logs to this bucket using Cloudflare’s Logpush  mechanism. Our collectors then consume the logs from this bucket before pushing them to SIEM (InsightIDR).

To set up Cloudflare:

  1. Read the requirements and complete any prerequisite steps
  2. Configure SIEM (InsightIDR) to collect data from the event source
  3. Test the configuration

You can also:

Requirements
Copy link

To send Cloudflare logs to SIEM (InsightIDR), first configure Cloudflare Logpush  to deliver data to an Amazon S3 bucket. This requires access to the Logpush API, which is available on Cloudflare Enterprise plans.

Next, configure an Amazon S3 destination  using the Cloudflare dashboard or API. After log files begin appearing in your S3 bucket, you can configure the Cloudflare event source in SIEM (InsightIDR).

Configure SIEM (InsightIDR) to collect data from the event source
Copy link

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

To configure the new event source in SIEM (InsightIDR):

  1. Go to Data Collection.
  2. On the Event Sources tab, click Add Event Source.
  3. Do one of the following:
    • Search for Cloudflare in the event sources search bar.
    • In the Product Type filter, select Cloud Service.
  4. Select the Cloudflare event source tile.
  5. Name the event source. This will become the name of the log that contains the event data in Log Search.
  6. Choose the Collector running in your AWS environment.
  7. If you are sending additional events beyond alerts, select the unfiltered logs checkbox.
  8. Specify the authentication and path information for the S3 bucket that was created by Cloudflare.
  9. Click Save.

Test the configuration
Copy link

Complete these steps to view your logs and ensure events are being sent to the Collector.

  1. On the new event source that was just created, click View Raw Log. If you see log messages in the box, this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable log sets and the log names within them. The log name will be the event source name or Cloudflare if you did not name the event source. Cloudflare logs flow into the Raw Logs log set.

Sample logs
Copy link

{
  "Datetime": "2022-08-15T01:40:59Z",
  "Action": "allow",
  "Kind": "firewall",
  "Source": "firewallrules",
  "ClientIP": "123.123.123.123",
  "ClientASNDescription": "R7-RAPID7",
  "ClientIPClass": "noRecord",
  "ClientCountry": "us",
  "ClientASN": 14618,
  "ClientRequestMethod": "GET",
  "ClientRequestUserAgent": "Rapid7 - Mobile",
  "ClientRequestPath": "/client/request/path/",
  "ClientRequestQuery": "?key=value",
  "ClientRequestScheme": "https",
  "ClientRequestHost": "www.rapid7.com",
  "ClientRefererHost": "www.rapid7.com",
  "ClientRefererPath": "/client/reference/path/",
  "ClientRefererQuery": "",
  "ClientRefererScheme": "https",
  "EdgeColoCode": "IAD",
  "EdgeResponseStatus": 200,
  "RuleID": "e8d36d34b4ed4b718acfdfeb30f64b2b",
  "MessageRule": "",
  "OriginatorRayID": "00",
  "RayID": "73ae39ad9c3182e6",
  "MatchIndex": 0
}