Cloudflare Zero Trust Modeling Rule

Modeling Rule

Cloudflare Zero Trust

Details

IDCloudflare_Zero_Trust_ModelingRule
From Version8.7.0

Rules (XIF)

[MODEL: dataset = cloudflare_zerotrust_raw]
/* User & Account Audit logs
   https://developers.cloudflare.com/api/operations/audit-logs-get-user-audit-logs 
   https://developers.cloudflare.com/api/operations/audit-logs-get-account-audit-logs */
filter SOURCE_LOG_TYPE in ("Account Audit Logs", "User Audit Logs")
| alter 
    action_type = action -> type, // A short string that describes the action that was performed.
    action_result = action -> result, // A boolean that indicates if the action attempted was successful.
    actor_ipv4 = if(actor -> ip ~= "(?:\d{1,3}\.){3}\d{1,3}", actor -> ip),
    actor_ipv6 = if(actor -> ip ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", actor -> ip),
    actor_type = actor -> type, // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
    resource_new_value = if(newValue != null and newValue != "", newValue, to_string(newValueJson) != "{}",  to_string(newValueJson)), // The new value of the resource that was modified.
    resource_old_value = if(oldValue != null and oldValue != "", oldValue, to_string(oldValueJson) != "{}", to_string(oldValueJson)) // The value of the resource before it was modified.
| alter 
    xdm.auth.privilege_level = if( // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
        actor_type = "user", XDM_CONST.PRIVILEGE_LEVEL_USER, 
        actor_type = "admin", XDM_CONST.PRIVILEGE_LEVEL_ADMIN, 
        actor_type in ("system", "Cloudflare"), XDM_CONST.PRIVILEGE_LEVEL_SYSTEM),
    xdm.event.description = if(action -> info != null, action -> info, to_string(metadata) != "{}", to_string(metadata)), // An object which can lend more context to the action being logged. This is a flexible value and varies between different actions.
    xdm.event.id = id, // A string that uniquely identifies the audit log.
    xdm.event.operation = action_type, // A short string that describes the action that was performed.
    xdm.event.original_event_type = action -> type, // A short string that describes the action that was performed.
    xdm.event.outcome = if(to_boolean(action_result), XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), // A boolean that indicates if the action attempted was successful.
    xdm.event.type = SOURCE_LOG_TYPE,
    xdm.observer.type = if(interface != "", interface), // The source of the event.
    xdm.source.host.ipv4_public_addresses = if(actor_ipv4 != null and not incidr(actor_ipv4, "10.0.0.0/8") and not incidr(actor_ipv4, "172.16.0.0/12") and not incidr(actor_ipv4, "192.168.0.0/16") and not incidr(actor_ipv4, "127.0.0.0/8") and not incidr(actor_ipv4, "169.254.0.0/16") and not incidr(actor_ipv4, "100.64.0.0/10"), arraycreate(actor_ipv4)),
    xdm.source.ipv4 = actor_ipv4,
    xdm.source.ipv6 = actor_ipv6,
    xdm.source.user.identifier = actor -> id, // The ID of the actor that performed the action. If a user performed the action, this will be their User ID.
    xdm.source.user.user_type = if( // The type of actor, whether a User, Cloudflare Admin, or an Automated System. Allowed values: user, admin, Cloudflare
        actor_type in ("user", "admin"), XDM_CONST.USER_TYPE_REGULAR, 
        actor_type = "Cloudflare", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
    xdm.source.user.username = actor -> email, // The email of the user that performed the action.
    xdm.target.resource_before.value = resource_old_value, // The value of the resource before it was modified.
    xdm.target.resource.id = resource -> id, // An identifier for the resource that was affected by the action.
    xdm.target.resource.parent_id = owner -> id,
    xdm.target.resource.type = resource -> type, // A short string that describes the resource that was affected by the action.
    xdm.target.resource.value = resource_new_value; // The new value of the resource that was modified.

/* Access authentication logs modeling for a future release
   // Access authentication logs
   // https://developers.cloudflare.com/api/operations/access-authentication-logs-get-access-authentication-logs 
filter SOURCE_LOG_TYPE = "Access Authentication Logs" 
| alter 
    user_ipv4 = if(ip_address ~= "(?:\d{1,3}\.){3}\d{1,3}", ip_address),
    user_ipv6 = if(ip_address ~= "(?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4}", ip_address)
| alter 
    xdm.auth.auth_method = connection, // The IdP method used to authenticate.
    xdm.event.id = ray_id, // The unique identifier for the request to Cloudflare
    xdm.event.original_event_type = action, // The event that occurred, such as a login attempt.
    xdm.event.type = SOURCE_LOG_TYPE,
    xdm.event.outcome = if(to_boolean(allowed), XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED), // The result of the authentication event.
    xdm.source.host.ipv4_public_addresses = if(user_ipv4 != null and not incidr(user_ipv4, "10.0.0.0/8") and not incidr(user_ipv4, "172.16.0.0/12") and not incidr(user_ipv4, "192.168.0.0/16") and not incidr(user_ipv4, "127.0.0.0/8") and not incidr(user_ipv4, "169.254.0.0/16") and not incidr(user_ipv4, "100.64.0.0/10"), arraycreate(user_ipv4)),
    xdm.source.ipv4 = user_ipv4, // The IPv4 address of the authenticating user.
    xdm.source.ipv6 = user_ipv6, // The IPv6 address of the authenticating user.
    xdm.source.user.username = user_email, // The email address of the authenticating user.
    xdm.target.application.name = app_uid, // The unique identifier for the Access application.
    xdm.target.url = app_domain; // The URL of the Access application.
*/

Schema

cloudflare_zerotrust_raw

Field Type Array?
SOURCE_LOG_TYPE string
action string
actor string
allowed boolean
app_domain string
app_uid string
connection string
id string
interface string
ip_address string
metadata string
newValue string
newValueJson string
oldValue string
oldValueJson string
owner string
ray_id string
resource string
user_email string
Raw JSON
{
    "cloudflare_zerotrust_raw": {
        "SOURCE_LOG_TYPE": {
            "type": "string",
            "is_array": false
        },
        "action": {
            "type": "string",
            "is_array": false
        },
        "actor": {
            "type": "string",
            "is_array": false
        },
        "allowed": {
            "type": "boolean",
            "is_array": false
        },
        "app_domain": {
            "type": "string",
            "is_array": false
        },
        "app_uid": {
            "type": "string",
            "is_array": false
        },
        "connection": {
            "type": "string",
            "is_array": false
        },
        "id": {
            "type": "string",
            "is_array": false
        },
        "interface": {
            "type": "string",
            "is_array": false
        },
        "ip_address": {
            "type": "string",
            "is_array": false
        },
        "metadata": {
            "type": "string",
            "is_array": false
        },
        "newValue": {
            "type": "string",
            "is_array": false
        },
        "newValueJson": {
            "type": "string",
            "is_array": false
        },
        "oldValue": {
            "type": "string",
            "is_array": false
        },
        "oldValueJson": {
            "type": "string",
            "is_array": false
        },
        "owner": {
            "type": "string",
            "is_array": false
        },
        "ray_id": {
            "type": "string",
            "is_array": false
        },
        "resource": {
            "type": "string",
            "is_array": false
        },
        "user_email": {
            "type": "string",
            "is_array": false
        }
    }
}