Rules (XIF)
[MODEL: dataset = cloudflare_zerotrust_raw]
/* User & Account Audit logs
https://developers.cloudflare.com/api/operations/audit-logs-get-user-audit-logs
https://developers.cloudflare.com/api/operations/audit-logs-get-account-audit-logs */
filter SOURCE_LOG_TYPE in ("Account Audit Logs", "User Audit Logs")
| alter
action_type = action -> type, // A short string that describes the action that was performed.
action_result = action -> result, // A boolean that indicates if the action attempted was successful.
actor_ipv4 = if(actor -> ip ~= "(?:\d{1,3}\.){3}\d{1,3}", actor -> ip),
actor_ipv6 = if(actor -> ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", actor -> ip),
actor_type = actor -> type, // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
resource_new_value = if(newValue != null and newValue != "", newValue, to_string(newValueJson) != "{}", to_string(newValueJson)), // The new value of the resource that was modified.
resource_old_value = if(oldValue != null and oldValue != "", oldValue, to_string(oldValueJson) != "{}", to_string(oldValueJson)) // The value of the resource before it was modified.
| alter
xdm.auth.privilege_level = if( // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
actor_type = "user", XDM_CONST.PRIVILEGE_LEVEL_USER,
actor_type = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN,
actor_type in ("system", "Cloudflare"), XDM_CONST.PRIVILEGE_LEVEL_SYSTEM),
xdm.event.description = if(action -> info != null, action -> info, to_string(metadata) != "{}", to_string(metadata)), // An object which can lend more context to the action being logged. This is a flexible value and varies between different actions.
xdm.event.id = id, // A string that uniquely identifies the audit log.
xdm.event.operation = action_type, // A short string that describes the action that was performed.
xdm.event.original_event_type = action -> type, // A short string that describes the action that was performed.
xdm.event.outcome = if(to_boolean(action_result), XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), // A boolean that indicates if the action attempted was successful.
xdm.event.type = SOURCE_LOG_TYPE,
xdm.observer.type = if(interface != "", interface), // The source of the event.
xdm.source.host.ipv4_public_addresses = if(actor_ipv4 != null and not incidr(actor_ipv4, "10.0.0.0/8") and not incidr(actor_ipv4, "172.16.0.0/12") and not incidr(actor_ipv4, "192.168.0.0/16") and not incidr(actor_ipv4, "127.0.0.0/8") and not incidr(actor_ipv4, "169.254.0.0/16") and not incidr(actor_ipv4, "100.64.0.0/10"), arraycreate(actor_ipv4)),
xdm.source.ipv4 = actor_ipv4,
xdm.source.ipv6 = actor_ipv6,
xdm.source.user.identifier = actor -> id, // The ID of the actor that performed the action. If a user performed the action, this will be their User ID.
xdm.source.user.user_type = if( // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
actor_type in ("user", "admin"), XDM_CONST.USER_TYPE_REGULAR,
actor_type = "Cloudflare", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
xdm.source.user.username = actor -> email, // The email of the user that performed the action.
xdm.target.resource_before.value = resource_old_value, // The value of the resource before it was modified.
xdm.target.resource.id = resource -> id, // An identifier for the resource that was affected by the action.
xdm.target.resource.parent_id = owner -> id,
xdm.target.resource.type = resource -> type, // A short string that describes the resource that was affected by the action.
xdm.target.resource.value = resource_new_value; // The new value of the resource that was modified.
/* Access authentication logs modeling for a future release
// Access authentication logs
// https://developers.cloudflare.com/api/operations/access-authentication-logs-get-access-authentication-logs
filter SOURCE_LOG_TYPE = "Access Authentication Logs"
| alter
user_ipv4 = if(ip_address ~= "(?:\d{1,3}\.){3}\d{1,3}", ip_address),
user_ipv6 = if(ip_address ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", ip_address)
| alter
xdm.auth.auth_method = connection, // The IdP method used to authenticate.
xdm.event.id = ray_id, // The unique identifier for the request to Cloudflare
xdm.event.original_event_type = action, // The event that occurred, such as a login attempt.
xdm.event.type = SOURCE_LOG_TYPE,
xdm.event.outcome = if(to_boolean(allowed), XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), // The result of the authentication event.
xdm.source.host.ipv4_public_addresses = if(user_ipv4 != null and not incidr(user_ipv4, "10.0.0.0/8") and not incidr(user_ipv4, "172.16.0.0/12") and not incidr(user_ipv4, "192.168.0.0/16") and not incidr(user_ipv4, "127.0.0.0/8") and not incidr(user_ipv4, "169.254.0.0/16") and not incidr(user_ipv4, "100.64.0.0/10"), arraycreate(user_ipv4)),
xdm.source.ipv4 = user_ipv4, // The IPv4 address of the authenticating user.
xdm.source.ipv6 = user_ipv6, // The IPv6 address of the authenticating user.
xdm.source.user.username = user_email, // The email address of the authenticating user.
xdm.target.application.name = app_uid, // The unique identifier for the Access application.
xdm.target.url = app_domain; // The URL of the Access application.
*/
Schema
cloudflare_zerotrust_raw
| Field |
Type |
Array? |
SOURCE_LOG_TYPE |
string |
— |
action |
string |
— |
actor |
string |
— |
allowed |
boolean |
— |
app_domain |
string |
— |
app_uid |
string |
— |
connection |
string |
— |
id |
string |
— |
interface |
string |
— |
ip_address |
string |
— |
metadata |
string |
— |
newValue |
string |
— |
newValueJson |
string |
— |
oldValue |
string |
— |
oldValueJson |
string |
— |
owner |
string |
— |
ray_id |
string |
— |
resource |
string |
— |
user_email |
string |
— |
Raw JSON
{
"cloudflare_zerotrust_raw": {
"SOURCE_LOG_TYPE": {
"type": "string",
"is_array": false
},
"action": {
"type": "string",
"is_array": false
},
"actor": {
"type": "string",
"is_array": false
},
"allowed": {
"type": "boolean",
"is_array": false
},
"app_domain": {
"type": "string",
"is_array": false
},
"app_uid": {
"type": "string",
"is_array": false
},
"connection": {
"type": "string",
"is_array": false
},
"id": {
"type": "string",
"is_array": false
},
"interface": {
"type": "string",
"is_array": false
},
"ip_address": {
"type": "string",
"is_array": false
},
"metadata": {
"type": "string",
"is_array": false
},
"newValue": {
"type": "string",
"is_array": false
},
"newValueJson": {
"type": "string",
"is_array": false
},
"oldValue": {
"type": "string",
"is_array": false
},
"oldValueJson": {
"type": "string",
"is_array": false
},
"owner": {
"type": "string",
"is_array": false
},
"ray_id": {
"type": "string",
"is_array": false
},
"resource": {
"type": "string",
"is_array": false
},
"user_email": {
"type": "string",
"is_array": false
}
}
}