Cloudflare for Microsoft Sentinel CCF

Solution: Cloudflare CCF

Cloudflare CCF Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Cloudflare
Support Tier Partner
Support Link https://support.cloudflare.com
Categories domains
Version 3.0.0
Author Cloudflare - support@cloudflare.com
First Published 2025-09-30
Last Updated 2026-02-11
Solution Folder Cloudflare CCF
Marketplace Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: ⚪ Very Low (0%)

The Cloudflare solution provides the capability to ingest Cloudflare logs into Microsoft Sentinel using the Codeless Connector Framework (CCF) and Azure Blob Storage. Refer to Cloudflare documentation for more information.

Underlying Microsoft Technologies used:

a. Codeless Connector Framework

b. Azure Monitor HTTP Data Collector API (for reference, legacy support)

Contents

Data Connectors

This solution provides 1 data connector(s):

Tables Used

This solution uses 2 table(s):

Table Used By Connectors Used By Content
CloudflareV2_CL Cloudflare (Using Blob Container) (via Codeless Connector Framework) Analytics, Hunting, Workbooks
Cloudflare_CL 🔶 - Analytics, Hunting, Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 22 content item(s):

Content Type Count
Analytic Rules 10
Hunting Queries 10
Workbooks 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Cloudflare - Bad client IP Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Client request from country in blocklist Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Empty user agent Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Multiple error requests from single source Low InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Multiple user agents for single source Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Unexpected POST requests Medium Persistence, CommandAndControl CloudflareV2_CL
Cloudflare_CL
Cloudflare - Unexpected URI Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Unexpected client request Medium InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - WAF Allowed threat High InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - XSS probing pattern in request Medium InitialAccess CloudflareV2_CL
Cloudflare_CL

Hunting Queries

Name Tactics Tables Used
Cloudflare - Client TLS errors InitialAccess, Impact CloudflareV2_CL
Cloudflare_CL
Cloudflare - Client errors InitialAccess, Impact CloudflareV2_CL
Cloudflare_CL
Cloudflare - Files requested InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Rare user agents InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Server TLS errors InitialAccess, Impact CloudflareV2_CL
Cloudflare_CL
Cloudflare - Server errors InitialAccess, Impact CloudflareV2_CL
Cloudflare_CL
Cloudflare - Top Network rules InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Top WAF rules InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Unexpected countries InitialAccess CloudflareV2_CL
Cloudflare_CL
Cloudflare - Unexpected edge response InitialAccess CloudflareV2_CL
Cloudflare_CL

Workbooks

Name Tables Used
Cloudflare CloudflareV2_CL
Cloudflare_CL

Parsers

Name Description Tables Used
Cloudflare - CloudflareV2_CL (read)
Cloudflare_CL (read)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.1 08-12-2025 Fixed invalid GUIDs, updated analytic rules, aligned URL entity mappings with legacy Cloudflare solution
3.0.0 02-10-2025 Includes all CCF connector definitions and configurations.

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index