Cloudflare WAF Modeling Rule

Modeling Rule

Cloudflare WAF

Details

IDCloudflare_WAF_ModelingRule
From Version8.2.0

Rules (XIF)

[MODEL: dataset=cloudflare_waf_raw]
alter
        eventType = if(edgeresponsebytes != null, "HTTP_requests", "")
// Modeling for http requests events
| filter
        eventType = "HTTP_requests"
| alter
		edgepathingop2 = if(edgepathingop = "wl", "passed", edgepathingop = "errHost", "error", edgepathingop = "ban", "blocked", edgepathingop),
		securityaction2 = if(securityaction != "" and securityaction != null, securityaction, null),
		edgeserverip4 = arrayindex(regextract(edgeserverip, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		edgeserverip6 = arrayindex(regextract(edgeserverip, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
		originip4 = arrayindex(regextract(originip, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
		originip6 = arrayindex(regextract(originip, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
		response_status = to_string(coalesce(edgeresponsestatus, originresponsestatus)),
		clientrequestmethod_upper = uppercase(clientrequestmethod)
| alter
        xdm.event.type = eventType,
        xdm.source.asn.as_number = clientasn,
        xdm.source.location.country = clientcountry,
        xdm.source.host.device_category = clientdevicetype,
        xdm.source.ipv4 = arrayindex(regextract(clientip, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
        xdm.source.ipv6 = arrayindex(regextract(clientip, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
        xdm.source.location.region = clientregioncode,
        xdm.source.sent_bytes = to_integer(clientrequestbytes),
        xdm.network.http.domain = clientrequesthost,
        xdm.network.http.method = if(clientrequestmethod_upper = "ACL", XDM_CONST.HTTP_METHOD_ACL, clientrequestmethod_upper = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, clientrequestmethod_upper = "BIND", XDM_CONST.HTTP_METHOD_BIND, clientrequestmethod_upper = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, clientrequestmethod_upper = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, clientrequestmethod_upper = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, clientrequestmethod_upper = "COPY", XDM_CONST.HTTP_METHOD_COPY, clientrequestmethod_upper = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, clientrequestmethod_upper = "GET", XDM_CONST.HTTP_METHOD_GET, clientrequestmethod_upper = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, clientrequestmethod_upper = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, clientrequestmethod_upper = "LINK", XDM_CONST.HTTP_METHOD_LINK, clientrequestmethod_upper = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, clientrequestmethod_upper = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, clientrequestmethod_upper = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, clientrequestmethod_upper = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, clientrequestmethod_upper = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, clientrequestmethod_upper = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, clientrequestmethod_upper = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, clientrequestmethod_upper = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, clientrequestmethod_upper = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, clientrequestmethod_upper = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, clientrequestmethod_upper = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, clientrequestmethod_upper = "POST", XDM_CONST.HTTP_METHOD_POST, clientrequestmethod_upper = "PRI", XDM_CONST.HTTP_METHOD_PRI, clientrequestmethod_upper = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, clientrequestmethod_upper = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, clientrequestmethod_upper = "PUT", XDM_CONST.HTTP_METHOD_PUT, clientrequestmethod_upper = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, clientrequestmethod_upper = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, clientrequestmethod_upper = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, clientrequestmethod_upper = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, clientrequestmethod_upper = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, clientrequestmethod_upper = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, clientrequestmethod_upper = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, clientrequestmethod_upper = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, clientrequestmethod_upper = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, clientrequestmethod_upper = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, clientrequestmethod_upper = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, to_string(clientrequestmethod_upper)),
        xdm.network.http.url = concat(clientrequestscheme, "://", clientrequesthost, clientrequesturi),
        xdm.network.http.referrer = clientrequestreferer,
        xdm.source.user_agent = clientrequestuseragent,
        xdm.network.tls.cipher = clientsslcipher,
        xdm.network.tls.protocol_version = clientsslprotocol,
        xdm.source.port = to_integer(clientsrcport),
        xdm.observer.action = coalesce(securityaction2, edgepathingop2),
        xdm.target.sent_bytes = to_integer(edgeresponsebytes),
        xdm.network.http.response_code = if(response_status = "100", XDM_CONST.HTTP_RSP_CODE_CONTINUE, response_status = "101", XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, response_status = "102", XDM_CONST.HTTP_RSP_CODE_PROCESSING, response_status = "103", XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, response_status = "200", XDM_CONST.HTTP_RSP_CODE_OK, response_status = "201", XDM_CONST.HTTP_RSP_CODE_CREATED, response_status = "202", XDM_CONST.HTTP_RSP_CODE_ACCEPTED, response_status = "203", XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, response_status = "204", XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, response_status = "205", XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, response_status = "206", XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, response_status = "207", XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, response_status = "208", XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, response_status = "226", XDM_CONST.HTTP_RSP_CODE_IM_USED, response_status = "300", XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, response_status = "301", XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, response_status = "302", XDM_CONST.HTTP_RSP_CODE_FOUND, response_status = "303", XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, response_status = "304", XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, response_status = "305", XDM_CONST.HTTP_RSP_CODE_USE_PROXY, response_status = "307", XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, response_status = "308", XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, response_status = "400", XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, response_status = "401", XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, response_status = "402", XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, response_status = "403", XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, response_status = "404", XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, response_status = "405", XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, response_status = "406", XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, response_status = "407", XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, response_status = "408", XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, response_status = "409", XDM_CONST.HTTP_RSP_CODE_CONFLICT, response_status = "410", XDM_CONST.HTTP_RSP_CODE_GONE, response_status = "411", XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, response_status = "412", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, response_status = "413", XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, response_status = "414", XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, response_status = "415", XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, response_status = "416", XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, response_status = "417", XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, response_status = "421", XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, response_status = "422", XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, response_status = "423", XDM_CONST.HTTP_RSP_CODE_LOCKED, response_status = "424", XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, response_status = "425", XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, response_status = "426", XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, response_status = "428", XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, response_status = "429", XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, response_status = "431", XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, response_status = "451", XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, response_status = "500", XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, response_status = "501", XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, response_status = "502", XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, response_status = "503", XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, response_status = "504", XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, response_status = "505", XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, response_status = "506", XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, response_status = "507", XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, response_status = "508", XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, response_status = "511", XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, response_status = null, null, to_string(response_status)),
        xdm.target.ipv4 = coalesce(edgeserverip4, originip4),
        xdm.target.ipv6 = coalesce(edgeserverip6, originip6),
        xdm.event.id = rayid,
        xdm.network.http.http_header.value = requestheaders,
        xdm.event.description = securityruledescription,
        xdm.network.rule = securityruleid,
        xdm.alert.severity = to_string(wafattackscore),
        xdm.target.zone = zonename;

Schema

cloudflare_waf_raw

Field Type Array?
ClientASN int
ClientCountry string
ClientDeviceType string
ClientRegionCode string
ClientRequestBytes int
ClientRequestHost string
ClientRequestMethod string
ClientRequestReferer string
ClientRequestScheme string
ClientRequestURI string
ClientRequestUserAgent string
ClientSSLCipher string
ClientSSLProtocol string
ClientSrcPort int
Datetime string
EdgePathingOp string
EdgeResponseBytes int
EdgeResponseStatus int
EdgeServerIP string
OriginIP string
OriginResponseStatus int
RayID string
RequestHeaders string
WAFAttackScore int
ZoneName string
clientip string
edgeendtimestamp datetime
securityaction string
securityruledescription string
securityruleid string
Raw JSON
{
    "cloudflare_waf_raw": {
      "EdgeResponseBytes": {
          "type": "int",
          "is_array": false
        },
      "EdgePathingOp": {
          "type": "string",
          "is_array": false
        },
      "EdgeServerIP": {
          "type": "string",
          "is_array": false
        },
      "OriginIP": {
          "type": "string",
          "is_array": false
        },
      "EdgeResponseStatus": {
          "type": "int",
          "is_array": false
        },
      "OriginResponseStatus": {
          "type": "int",
          "is_array": false
        },
      "ClientRequestMethod": {
          "type": "string",
          "is_array": false
        },
      "ClientASN": {
          "type": "int",
          "is_array": false
        },
      "ClientCountry": {
          "type": "string",
          "is_array": false
        },
      "ClientDeviceType": {
          "type": "string",
          "is_array": false
        },
      "ClientRegionCode": {
          "type": "string",
          "is_array": false
        },
      "ClientRequestBytes": {
          "type": "int",
          "is_array": false
        },
      "ClientRequestHost": {
          "type": "string",
          "is_array": false
        },
      "ClientRequestScheme": {
          "type": "string",
          "is_array": false
        },
      "ClientRequestURI": {
          "type": "string",
          "is_array": false
        },
      "ClientRequestReferer": {
          "type": "string",
          "is_array": false
        },
      "ClientRequestUserAgent": {
          "type": "string",
          "is_array": false
        },
      "ClientSSLCipher": {
          "type": "string",
          "is_array": false
        },
      "ClientSSLProtocol": {
          "type": "string",
          "is_array": false
        },
      "ClientSrcPort": {
          "type": "int",
          "is_array": false
        },
      "RayID": {
          "type": "string",
          "is_array": false
        },
      "RequestHeaders": {
          "type": "string",
          "is_array": false
        },
      "WAFAttackScore": {
          "type": "int",
          "is_array": false
        },
      "ZoneName": {
          "type": "string",
          "is_array": false
        },
      "securityaction": {
          "type": "string",
          "is_array": false
        },
      "clientip": {
        "type": "string",
        "is_array": false
      },
      "securityruledescription": {
        "type": "string",
        "is_array": false
      },
      "securityruleid": {
        "type": "string",
        "is_array": false
      },
      "edgeendtimestamp": {
        "type": "datetime",
        "is_array": false
      },
      "Datetime": {
        "type": "string",
        "is_array": false
      }
    }
}