Cloudflare for Microsoft Sentinel
Solution: Cloudflare
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Cloudflare |
| Support Tier | Partner |
| Support Link | https://support.cloudflare.com |
| Categories | domains |
| Version | 3.0.1 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-10-20 |
| Solution Folder | Cloudflare |
| Marketplace | Azure Marketplace · Rating: ★★☆☆☆ 1.7/5 (3 ratings) · Popularity: 🟢 High (93%) |
The Cloudflare solution provides the capability to ingest Cloudflare logs into Microsoft Sentinel using the Cloudflare Logpush and Azure Blob Storage. Refer to Cloudflare documentation for more information.
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Azure Monitor HTTP Data Collector API
c. Codeless Connector Framework
NOTE: Microsoft recommends installation of "CloudflareDefinition" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.
Important: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..
Contents
Data Connectors
This solution provides 2 data connector(s):
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 2 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
CloudflareV2_CL |
Cloudflare (Using Blob Container) (via Codeless Connector Framework) | Analytics, Hunting |
Cloudflare_CL 🔶 |
[DEPRECATED] Cloudflare | Analytics, Hunting, Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 22 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 10 |
| Hunting Queries | 10 |
| Workbooks | 1 |
| Parsers | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Cloudflare - Bad client IP | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Client request from country in blocklist | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Empty user agent | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Multiple error requests from single source | Low | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Multiple user agents for single source | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Unexpected POST requests | Medium | Persistence, CommandAndControl | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Unexpected URI | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Unexpected client request | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - WAF Allowed threat | High | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - XSS probing pattern in request | Medium | InitialAccess | CloudflareV2_CLCloudflare_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Cloudflare - Client TLS errors | InitialAccess, Impact | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Client errors | InitialAccess, Impact | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Files requested | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Rare user agents | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Server TLS errors | InitialAccess, Impact | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Server errors | InitialAccess, Impact | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Top Network rules | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Top WAF rules | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Unexpected countries | InitialAccess | CloudflareV2_CLCloudflare_CL |
| Cloudflare - Unexpected edge response | InitialAccess | CloudflareV2_CLCloudflare_CL |
Workbooks
| Name | Tables Used |
|---|---|
| Cloudflare | Cloudflare_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| Cloudflare | - | CloudflareV2_CL (read)Cloudflare_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | ChangeHistory |
|---|---|---|
| 3.0.2 | 05-09-2024 | Updated the python runtime version to 3.11 |
| 3.0.1 | 01-08-2023 | Updated logic in Data Connector to handle broken events. |
| 3.0.0 | 24-07-2023 | Updated logic in Hunting Query (Cloudflare - Client errors,Cloudflare - Server errors) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊