Collect Cloudflare logs

Supported in:

Google secops SIEM

Overview

This parser handles various Cloudflare log types (DNS, HTTP, Audit, Zero Trust, CASB). It first normalizes common fields and then applies conditional logic based on specific fields like QueryName, Action, and IDto extract and map relevant data to the UDM. It also performs data type conversions, grok matching for IP addresses and hashes, and handles nested JSON payloads.

Before you begin

Ensure that you have the following prerequisites:

Google SecOps instance.
Privileged access to Google Cloud IAM.
Privileged access to Google Cloud Storage.
Privileged access to Cloudflare.

Create a Google Cloud Storage Bucket

Sign in to the Google Cloud console.
Go to the Cloud Storage Bucketspage.

Go to Buckets
Click Create.
On the Create a bucketpage, enter your bucket information. After each of the following steps, click Continueto proceed to the next step:
1. In the Get startedsection, do the following:
  1. Enter a unique name that meets the bucket name requirements (for example, cloudflare-data).
  2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloadssection, and then select Enable Hierarchical namespace on this bucket.
  Note: You cannot enable hierarchical namespace in an existing bucket.
  1. To add a bucket label, click the expander arrow to expand the Labelssection.
  2. Click Add label, and specify a key and a value for your label.
2. In the Choose where to store your datasection, do the following:
  1. Select a Location type.
  2. Use the location type's drop-down to select a Locationwhere object data within your bucket will be permanently stored.
    1. If you select the dual-regionlocation type, you can also choose to enable turbo replicationby using the relevant checkbox.
  3. To set up cross-bucket replication, expand the Set up cross-bucket replicationsection.
3. In the Choose a storage class for your datasection, either select a default storage classfor the bucket, or select Autoclassfor automatic storage class management of your bucket's data.
4. In the Choose how to control access to objectssection, select notto enforce public access prevention, and select an access control modelfor your bucket's objects.
  
  Note: If public access prevention is already enforced by your project's organization policy, the Prevent public accesscheckbox is locked.
5. In the Choose how to protect object datasection, do the following:
  1. Select any of the options under Data protectionthat you want to set for your bucket.
  2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.

Create a Google Cloud Service Account

Go to to IAM & Admin > Service Accounts.
Create a new service account.
Give it a descriptive name (For example, cloudflare-logs).
Grant the service account with Storage Object Creatorrole on the GCS bucket you created in the previous step.
Create a service account key for the service account.
Download a JSON key file for the service account. Keep this file secure.

Enable Cloudflare IAM to Google Cloud Storage

Go to Storage > Browser > Bucket > Permissions.
Add the member logpush@cloudflare-data.iam.gserviceaccount.com with Storage Object Adminpermission.

Set up feeds

To configure a feed, follow these steps:

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed namefield, enter a name for the feed (for example, Cloudflare Logs).
Select Google Cloud Storage V2as the Source type.
Select Cloudflareas the Log type.
Click Get Service Accountas the Chronicle Service Account.
Click Next.
Specify values for the following input parameters:
- Storage Bucket URI: Google Cloud storage bucket URL in gs://my-bucket/<value> format.
- Source deletion options: select deletion option according to your preference.
Note: If you select the Delete transferred files or Delete transferred files and empty directories option, make sure that you granted appropriate permissions to the service account. * Maximum File Age: Includes files modified in the last number of days. Default is 180 days.
Click Next.
Review your new feed configuration in the Finalizescreen, and then click Submit.

Configure Cloudflare to send logs to Google Cloud Storage

Sign in to the Cloudflare dashboard.
Select the Enterprise account or domain(also known as zone) you want to use with Logpush.
Go to Analytics & Logs > Logpush.
Select Create a Logpushjob.
In Select a destination, select Google Cloud Storage.
Enter or select the following destination details:
- Bucket: GCS bucket name
- Path: bucket location within the storage container
- Checkbox: Organize logs into daily subfolders (recommended)
Note: Make sure your buckethas Cloudflare's IAMas a user with a Storage Object Adminrole.
Click Continue.
Ownership verification:
1. Cloudflare will send a fileto your bucket.
2. Copy and paste the token:
  1. Sign in to Google Cloud console > Storage > Cloudflare bucket .
  2. Open the ownership challenge file.
  3. Copy the Ownership Token.
  4. Enter the ownership token in the Cloudflare console.
  5. Select Continue.
3. Select the datasetto push to the bucket.
Configure logpush job:
1. Enter the Job name.
2. Under If logs match, you can select the events to include and/or remove from your logs.
Note: Not all datasets have this option available.
1. Send the following fields: Select to push all logsor selectively choose which logs you want to push.
Select Submitto finalize the configuration.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`AccountID`	`target.resource.id` , `target.resource.product_object_id`	The account ID associated with the event.
`Action`	`security_result.action`	Action taken based on the event. `allow` or `allowed*` results in `ALLOW` . `unknown` results in `UNKNOWN_ACTION` . Other values result in `BLOCK` . For Access logs, `login` maps to `USER_LOGIN` , `logout` to `USER_LOGOUT` , and other values to `USER_RESOURCE_ACCESS` if an email is present.
`ActionResult`	`security_result.action`	If `true` , maps to `ALLOW` . If `false` , maps to `BLOCK` . Otherwise, maps to `UNKNOWN_ACTION` .
`ActionType`	`security_result.description`	Description of the action performed.
`ActorEmail`	`principal.user.email_addresses`	Email address of the actor initiating the event.
`ActorID`	`principal.user.product_object_id`	ID of the actor initiating the event.
`ActorIP`	`principal.ip` , `principal.asset.ip`	IP address of the actor initiating the event.
`Allowed`	`security_result.action`	If `true` , maps to `ALLOW` . Otherwise, maps to `BLOCK` .
`AppDomain`	`target.administrative_domain`	Domain of the application involved in the event.
`AppUUID`	`target.resource.product_object_id`	UUID of the application involved in the event.
`AssetDisplayName`	`principal.asset.attribute.labels.value` where key is `AssetDisplayName`	Display name of the asset.
`AssetExternalID`	`principal.asset_id` (prefixed with "Cloudflare:")	External ID of the asset.
`AssetLink`	`principal.url`	Link associated with the asset.
`AssetMetadata.agreedToTerms`	`principal.user.attribute.labels.value` where key is `agreedToTerms`	Whether the user agreed to terms.
`AssetMetadata.changePasswordAtNextLogin`	`principal.user.attribute.labels.value` where key is `changePasswordAtNextLogin`	Whether the user needs to change password at next login.
`AssetMetadata.clientId`	`principal.user.userid`	Client ID from asset metadata.
`AssetMetadata.customerId`	`principal.user.userid`	Customer ID from asset metadata.
`AssetMetadata.familyName`	`principal.user.last_name`	Family name of the user from asset metadata.
`AssetMetadata.givenName`	`principal.user.first_name`	Given name of the user from asset metadata.
`AssetMetadata.includeInGlobalAddressList`	`principal.user.attribute.labels.value` where key is `includeInGlobalAddressList`	Whether the user is included in the global address list.
`AssetMetadata.ipWhitelisted`	`principal.user.attribute.labels.value` where key is `ipWhitelisted`	Whether the user is IP whitelisted.
`AssetMetadata.isAdmin`	`principal.user.attribute.labels.value` where key is `isAdmin`	Whether the user is an admin.
`AssetMetadata.isDelegatedAdmin`	`principal.user.attribute.labels.value` where key is `isDelegatedAdmin`	Whether the user is a delegated admin.
`AssetMetadata.isEnforcedIn2Sv`	`principal.user.attribute.labels.value` where key is `isEnforcedIn2Sv`	Whether 2SV is enforced for the user.
`AssetMetadata.isEnrolledIn2Sv`	`principal.user.attribute.labels.value` where key is `isEnrolledIn2Sv`	Whether the user is enrolled in 2SV.
`AssetMetadata.kind`	(Not mapped)	Not mapped to the IDM object.
`AssetMetadata.lastLoginTime`	`principal.user.attribute.labels.value` where key is `lastLoginTime`	Last login time of the user.
`AssetMetadata.login`	`principal.user.userid`	Login name from asset metadata.
`AssetMetadata.name.familyName`	`principal.user.last_name`	Family name from asset metadata.
`AssetMetadata.name.fullName`	`principal.user.user_display_name`	Full name from asset metadata.
`AssetMetadata.name.givenName`	`principal.user.first_name`	Given name from asset metadata.
`AssetMetadata.nativeApp`	`security_result.detection_fields.value` where key is `nativeApp`	Whether the app is native.
`AssetMetadata.owner.id`	`principal.user.userid`	Owner ID from asset metadata.
`AssetMetadata.primaryEmail`	`principal.user.email_addresses`	Primary email from asset metadata.
`AssetMetadata.scopes`	(Not mapped)	Not mapped to the IDM object.
`AssetMetadata.site_admin`	`principal.user.attribute.labels.value` where key is `site_admin`	Whether the user is a site admin.
`AssetMetadata.suspended`	`principal.user.attribute.labels.value` where key is `suspended`	Whether the user is suspended.
`AssetMetadata.url`	`principal.url`	URL from asset metadata.
`AssetMetadata.userKey`	`principal.user.attribute.labels.value` where key is `userKey`	User key from asset metadata.
`BlockedFileHash`	`target.file.md5` , `target.file.sha1` , `target.file.sha256`	Hashes of the blocked file. Parsed using grok to extract md5, sha1, or sha256.
`BlockedFileName`	`security_result.about.file.full_path`	Name of the blocked file.
`BlockedFileReason`	`security_result.summary`	Reason for blocking the file.
`BlockedFileSize`	`target.file.size`	Size of the blocked file.
`BotScore`	`security_result.detection_fields.value` where key is `BotScore`	Bot score assigned to the request.
`BytesReceived`	`network.received_bytes`	Number of bytes received.
`BytesSent`	`network.sent_bytes`	Number of bytes sent.
`CacheCacheStatus`	`additional.fields.value.string_value` where key is `CacheCacheStatus`	Status of the cache.
`CacheResponseBytes`	`additional.fields.value.string_value` where key is `CacheResponseBytes`	Number of bytes in the cached response.
`CacheResponseStatus`	`additional.fields.value.string_value` where key is `CacheResponseStatus`	Status code of the cached response.
`ClientASN`	(Not mapped)	Not mapped to the IDM object.
`ClientCountry`	`principal.location.country_or_region`	Client's country.
`ClientDeviceType`	`additional.fields.value.string_value` where key is `ClientDeviceType`	Type of the client device.
`ClientIP`	`principal.ip` , `principal.asset.ip`	Client's IP address.
`ClientRequestMethod`	`network.http.method`	HTTP request method used by the client.
`ClientRequestHost`	`target.hostname` , `target.asset.hostname`	Hostname requested by the client.
`ClientRequestPath`	(Not mapped)	Not mapped to the IDM object.
`ClientRequestProtocol`	`network.application_protocol`	Protocol used in the client request (e.g., HTTP, HTTPS). The protocol version is removed.
`ClientRequestReferer`	`network.http.referral_url`	Referrer URL of the client request.
`ClientRequestURI`	`target.url` (combined with `ClientRequestHost` if present)	URI requested by the client.
`ClientRequestUserAgent`	`network.http.user_agent`	User agent of the client request. Also parsed and mapped to `network.http.parsed_user_agent` .
`ClientSSLCipher`	`network.tls.cipher`	SSL cipher used by the client.
`ClientSSLProtocol`	`network.tls.version`	SSL protocol used by the client.
`ClientSrcPort`	`principal.port`	Client's source port.
`ClientTCPHandshakeDurationMs`	`additional.fields.value.string_value` where key is `ClientTCPHandshakeDurationMs`	Duration of the client TCP handshake.
`ClientTLSHandshakeDurationMs`	`additional.fields.value.string_value` where key is `ClientTLSHandshakeDurationMs`	Duration of the client TLS handshake.
`ClientTLSVersion`	`network.tls.version`	TLS version used by the client.
`ColoID`	(Not mapped)	Not mapped to the IDM object.
`Connection`	`target.resource.attribute.labels.value` where key is `Connection`	Connection type (e.g., saml).
`ConnectionCloseReason`	`additional.fields.value.string_value` where key is `ConnectionCloseReason`	Reason for connection closure.
`ConnectionReuse`	`additional.fields.value.string_value` where key is `ConnectionReuse`	Whether connection reuse occurred.
`Country`	`target.location.country_or_region`	Country associated with the event.
`CreatedAt`	`metadata.event_timestamp`	Timestamp of event creation.
`Datetime`	`metadata.event_timestamp`	Date and time of the event.
`DestinationIP`	`target.ip` , `target.asset.ip`	Destination IP address.
`DestinationPort`	`target.port`	Destination port.
`DestinationTunnelID`	`additional.fields.value.string_value` where key is `DestinationTunnelID`	ID of the destination tunnel.
`DeviceID`	`principal.asset_id` (prefixed with "Cloudflare:")	ID of the device.
`DeviceName`	`principal.hostname` , `principal.asset.hostname` , `principal.asset.attribute.labels.value` where key is `DeviceName`	Name of the device.
`DownloadedFileNames`	`security_result.about.labels.value` where key is `DownloadFileNames`	Names of downloaded files.
`DstIP`	`target.ip` , `target.asset.ip`	Destination IP address.
`DstPort`	`target.port`	Destination port.
`EdgeColoCode`	`additional.fields.value.string_value` where key is `EdgeColoCode`	Cloudflare edge location code.
`EdgeColoID`	`additional.fields.value.string_value` where key is `EdgeColoID`	Cloudflare edge location ID.
`EdgeEndTimestamp`	(Not mapped)	Not mapped to the IDM object.
`EdgeResponseBytes`	`network.received_bytes`	Number of bytes in the response from the edge.
`EdgeResponseContentType`	`target.file.mime_type`	Content type of the edge response.
`EdgeResponseStatus`	`network.http.response_code`	Status code of the edge response.
`EdgeServerIP`	`target.ip` , `target.asset.ip`	IP address of the edge server.
`EdgeStartTimestamp`	`metadata.event_timestamp`	Timestamp of the start of the request at the edge.
`Email`	`principal.user.email_addresses` , `target.user.email_addresses`	Email address associated with the event.
`EgressColoName`	`additional.fields.value.string_value` where key is `EgressColoName`	Name of the egress colo.
`EgressIP`	`principal.ip` , `principal.asset.ip`	Egress IP address. Sets `network.direction` to `OUTBOUND` .
`EgressPort`	`principal.port`	Egress port.
`EgressRuleID`	`additional.fields.value.string_value` where key is `EgressRuleID`	ID of the egress rule.
`EgressRuleName`	`additional.fields.value.string_value` where key is `EgressRuleName`	Name of the egress rule.
`FindingTypeDisplayName`	`security_result.description`	Display name of the finding type.
`FindingTypeID`	`security_result.rule_id`	ID of the finding type.
`FindingTypeSeverity`	`security_result.severity`	Severity of the finding type.
`FirewallMatchesActions`	`security_result.action`	Actions taken by firewall rules. `allow` , `Allow` , `ALLOW` , `skip` , `SKIP` , `Skip` map to `ALLOW` . `challengeSolved` and `jschallengeSolved` map to `ALLOW_WITH_MODIFICATION` . `drop` and `block` map to `BLOCK` . Other values map to `UNKNOWN_ACTION` .
`FirewallMatchesRuleIDs`	`security_result.rule_id` (for the first ID), subsequent IDs create new `security_result` objects.	IDs of the firewall rules that matched.
`FirewallMatchesSources`	`security_result.rule_name`	Sources of the firewall rules that matched.
`HTTPHost`	`target.hostname`	HTTP host.
`HTTPMethod`	`network.http.method`	HTTP method.
`HTTPVersion`	`network.application_protocol`	If the value contains "HTTP", sets `network.application_protocol` to `HTTP` .
`ID`	`metadata.product_log_id`	ID of the event.
`IngressColoName`	`additional.fields.value.string_value` where key is `IngressColoName`	Name of the ingress colo.
`InstanceID`	`principal.resource.product_object_id`	ID of the instance.
`IntegrationDisplayName`	`additional.fields.value.string_value` where key is `IntegrationDisplayName`	Display name of the integration.
`IntegrationID`	`metadata.product_deployment_id`	ID of the integration.
`IntegrationPolicyVendor`	`additional.fields.value.string_value` where key is `IntegrationPolicyVendor`	Vendor of the integration policy.
`IPAddress`	`target.ip` , `target.asset.ip`	IP address associated with the event.
`IsIsolated`	`about.labels.value` where key is `IsIsolated` , `security_result.about.resource.attribute.labels.value` where key is `IsIsolated`	Whether the event is isolated.
`Location`	`principal.location.name`	Location associated with the event.
`NewValue`	`security_result.about.labels.value` where key is `NewValue`	New value after an update.
`Offramp`	`additional.fields.value.string_value` where key is `Offramp`	Offramp used in the connection.
`OldValue`	`security_result.about.labels.value` where key is `OldValue`	Old value before an update.
`OriginIP`	`intermediary.ip` , `target.ip` , `target.asset.ip`	Origin IP address.
`OriginPort`	`target.port`	Origin port.
`OriginResponseBytes`	`additional.fields.value.string_value` where key is `OriginResponseBytes`	Number of bytes in the origin response.
`OriginResponseStatus`	`additional.fields.value.string_value` where key is `OriginResponseStatus`	Status code of the origin response.
`OriginResponseTime`	`additional.fields.value.string_value` where key is `OriginResponseTime`	Response time of the origin.
`OriginSSLProtocol`	(Not mapped)	Not mapped to the IDM object.
`OriginTLSCertificateIssuer`	`additional.fields.value.string_value` where key is `OriginTLSCertificateIssuer`	Issuer of the origin TLS certificate.
`OriginTLSCertificateValidationResult`	`additional.fields.value.string_value` where key is `OriginTLSCertificateValidationResult`	Result of the origin TLS certificate validation.
`OriginTLSCipher`	`additional.fields.value.string_value` where key is `OriginTLSCipher`	Cipher used in the origin TLS connection.
`OriginTLSHandshakeDurationMs`	`additional.fields.value.string_value` where key is `OriginTLSHandshakeDurationMs`	Duration of the origin TLS handshake.
`OriginTLSVersion`	`additional.fields.value.string_value` where key is `OriginTLSVersion`	TLS version used by the origin.
`OwnerID`	`target.user.product_object_id`	ID of the owner.
`Policy`	`security_result.rule_name`	Policy associated with the event.
`PolicyID`	`security_result.rule_id`	ID of the policy.
`PolicyName`	`security_result.rule_name`	Name of the policy.
`Protocol`	`network.application_protocol` , `network.ip_protocol`	Protocol used in the connection. If not "tls" or "TLS", converted to uppercase and mapped to `network.application_protocol` . Otherwise, parsed using an include file and mapped to `network.ip_protocol` .
`PurposeJustificationPrompt`	(Not mapped)	Not mapped to the IDM object.
`PurposeJustificationResponse`	(Not mapped)	Not mapped to the IDM object.
`QueryCategoryIDs`	`security_result.about.labels.value` , `security_result.about.resource.attribute.labels.value` where key is `QueryCategoryIDs`	IDs of query categories.
`QueryName`	`network.dns.questions.name`	Name of the DNS query. Sets `metadata.event_type` to `NETWORK_DNS` and `network.application_protocol` to `DNS` .
`QueryNameReversed`	`network.dns.questions.name`	Reversed name of the DNS query.
`QuerySize`	`network.sent_bytes`	Size of the query.
`QueryType`	`network.dns.questions.type`	Type of the DNS query. Mapped to numeric values based on DNS query type codes.
`RData`	`network.dns.answers.type` , `network.dns.answers.data`	DNS record data. Each element in the `RData` array creates a new `answer` object.
`RayID`	`metadata.product_log_id`	Ray ID associated with the request.
`Referer`	`network.http.referral_url`	Referrer URL.
`RequestID`	`metadata.product_log_id`	ID of the request.
`ResolverDecision`	`security_result.summary`	Decision made by the resolver.
`ResourceID`	`target.resource.id` , `target.resource.product_object_id`	ID of the resource.
`ResourceType`	`target.resource.resource_subtype`	Type of the resource.
`RuleEvaluationDurationMs`	`additional.fields.value.string_value` where key is `RuleEvaluationDurationMs`	Duration of rule evaluation.
`SNI`	`network.tls.client.server_name`	Server Name Indication (SNI) in TLS client hello.
`SecurityAction`	`security_result.action`	Security action taken. Empty value or no `SecurityAction` maps to `ALLOW` . `challengeSolved` or `jschallengeSolved` maps to `ALLOW_WITH_MODIFICATION` . `drop` or `block` maps to `BLOCK` .
`SecurityLevel`	`security_result.severity`	Security level. `high` maps to `HIGH` , `med` to `MEDIUM` , `low` to `LOW` .
`SessionEndTime`	`additional.fields.value.string_value` where key is `SessionEndTime`	End time of the session.
`SessionID`	`network.session_id`	ID of the session.
`SessionStartTime`	`metadata.event_timestamp`	Start time of the session.
`SourceIP`	`principal.ip` , `principal.asset.ip` , `src.ip` , `src.asset.ip`	Source IP address.
`SourcePort`	`principal.port` , `src.port`	Source port.
`SrcIP`	`principal.ip` , `principal.asset.ip`	Source IP address.
`SrcPort`	`principal.port`	Source port.
`TemporaryAccessDuration`	`network.session_duration.seconds`	Duration of temporary access.
`Timestamp`	`metadata.event_timestamp`	Timestamp of the event.
`Transport`	`network.ip_protocol`	Transport protocol. Converted to uppercase and parsed using an include file.
`UploadedFileNames`	`security_result.about.labels.value` where key is `UploadedFileNames`	Names of uploaded files.
`URL`	`target.url`	URL involved in the event.
`UserAgent`	`network.http.user_agent`	User agent string. Also parsed and mapped to `network.http.parsed_user_agent` .
`UserID`	`principal.user.product_object_id` , `event.idm.read_only_udm.target.user.product_object_id`	ID of the user.
`UserUID`	`target.user.product_object_id`	UID of the user.
`VirtualNetworkID`	`principal.resource.product_object_id`	ID of the virtual network.
`WAFAction`	`security_result.about.labels.value` where key is `WAFAction`	Action taken by the Web Application Firewall (WAF).
`WAFAttackScore`	`security_result.about.resource.attribute.labels.value` where key is `WAFAttackScore`	Attack score assigned by the WAF.
`WAFFlags`	`security_result.about.resource.attribute.labels.value` where key is `WAFFlags`	WAF flags.
`WAFMatchedVar`	(Not mapped)	Not mapped to the IDM object.
`WAFProfile`	`security_result.about.labels.value` where key is `WAFProfile`	WAF profile.
`WAFRCEAttackScore`	`security_result.about.resource.attribute.labels.value` where key is `WAFRCEAttackScore`	WAF Remote Code Execution (RCE) attack score.
`WAFRuleID`	`security_result.threat_id` , `security_result.about.labels.value` where key is `WAFRuleID`	ID of the WAF rule.
`WAFRuleMessage`	`security_result.rule_name` , `security_result.threat_name`	Message associated with the WAF rule.
`WAFSQLiAttackScore`	`security_result.about.resource.attribute.labels.value` where key is `WAFSQLiAttackScore`	WAF SQL Injection attack score.
`WAFXSSAttackScore`	`security_result.about.resource.attribute.labels.value` where key is `WAFXSSAttackScore`	WAF Cross-Site Scripting (XSS) attack score.
`ZoneID`	`additional.fields.value.string_value` where key is `ZoneID`	Zone ID.
`event.idm.read_only_udm.metadata.event_type`	`metadata.event_type`	Type of the event. Set by the parser based on the log data. Defaults to `GENERIC_EVENT` if not set or if a `NETWORK_DNS` event has no principal or target. Can be `NETWORK_DNS` , `NETWORK_CONNECTION` , `USER_LOGIN` , `USER_LOGOUT` , `USER_RESOURCE_ACCESS` , `USER_RESOURCE_UPDATE_CONTENT` , or `GENERIC_EVENT` .
`event.idm.read_only_udm.metadata.log_type`	`metadata.log_type`	Log type, set to "CLOUDFLARE".
`event.idm.read_only_udm.metadata.product_deployment_id`	`metadata.product_deployment_id`	Product deployment ID.
`event.idm.read_only_udm.metadata.product_log_id`	`metadata.product_log_id`	Product log ID.
`event.idm.read_only_udm.metadata.product_name`	`metadata.product_name`	Product name. Set by the parser based on the log data. Can be "Cloudflare Gateway DNS", "Cloudflare Gateway HTTP", "Cloudflare Audit", "Web Application Firewall".
`event.idm.read_only_udm.metadata.vendor_name`	`metadata.vendor_name`	Vendor name, set to "Cloudflare".
`event.idm.read_only_udm.metadata.event_timestamp`	`metadata.event_timestamp`	Timestamp of the event.
`event.idm.read_only_udm.network.application_protocol`	`network.application_protocol`	Application protocol used in the network connection.
`event.idm.read_only_udm.network.direction`	`network.direction`	Direction of the network connection. Set to `OUTBOUND` when `EgressIP` and `SourceIP` are present.
`event.idm.read_only_udm.network.dns.answers`	`network.dns.answers`	DNS answers.
`event.idm.read_only_udm.network.dns.questions`	`network.dns.questions`	DNS questions.
`event.idm.read_only_udm.network.http.method`	`network.http.method`	HTTP method.
`event.idm.read_only_udm.network.http.parsed_user_agent`	`network.http.parsed_user_agent`	Parsed user agent.
`event.idm.read_only_udm.network.http.referral_url`	`network.http.referral_url`	HTTP referral URL.
`event.idm.read_only_udm.network.http.response_code`	`network.http.response_code`	HTTP response code.
`event.idm.read_only_udm.network.http.user_agent`	`network.http.user_agent`	HTTP user agent.
`event.idm.read_only_udm.network.ip_protocol`	`network.ip_protocol`	IP protocol.
`event.idm.read_only_udm.network.received_bytes`	`network.received_bytes`	Number of bytes received.
`event.idm.read_only_udm.network.sent_bytes`	`network.sent_bytes`	Number of bytes sent.
`event.idm.read_only_udm.network.session_duration.seconds`	`network.session_duration.seconds`	Duration of the network session in seconds.
`event.idm.read_only_udm.network.session_id`	`network.session_id`	Network session ID.
`event.idm.read_only_udm.network.tls.cipher`	`network.tls.cipher`	TLS cipher suite.
`event.idm.read_only_udm.network.tls.client.server_name`	`network.tls.client.server_name`	TLS client server name.
`event.idm.read_only_udm.network.tls.version`	`network.tls.version`	TLS version.
`event.idm.read_only_udm.principal.asset.attribute.labels`	`principal.asset.attribute.labels`	Labels associated with the principal asset.
`event.idm.read_only_udm.principal.asset.hostname`	`principal.asset.hostname`	Hostname of the principal asset.
`event.idm.read_only_udm.principal.asset.ip`	`principal.asset.ip`	IP address of the principal asset.
`event.idm.read_only_udm.principal.asset_id`	`principal.asset_id`	ID of the principal asset.
`event.idm.read_only_udm.principal.hostname`	`principal.hostname`	Hostname of the principal.
`event.idm.read_only_udm.principal.ip`	`principal.ip`	IP address of the principal.
`event.idm.read_only_udm.principal.location.country_or_region`	`principal.location.country_or_region`	Country or region of the principal's location.
`event.idm.read_only_udm.principal.location.name`	`principal.location.name`	Name of the principal's location.
`event.idm.read_only_udm.principal.port`	`principal.port`	Port used by the principal.
`event.idm.read_only_udm.principal.resource.product_object_id`	`principal.resource.product_object_id`	Product object ID of the principal's resource.
`event.idm.read_only_udm.principal.url`	`principal.url`	URL associated with the principal.
`event.idm.read_only_udm.principal.user.attribute.labels`	`principal.user.attribute.labels`	Labels associated with the principal user.
`event.idm.read_only_udm.principal.user.email_addresses`	`principal.user.email_addresses`	Email addresses of the principal user.
`event.idm.read_only_udm.principal.user.first_name`	`principal.user.first_name`	First name of the principal user.
`event.idm.read_only_udm.principal.user.last_name`	`principal.user.last_name`	Last name of the principal user.
`event.idm.read_only_udm.principal.user.product_object_id`	`principal.user.product_object_id`	Product object ID of the principal user.
`event.idm.read_only_udm.principal.user.userid`	`principal.user.userid`	User ID of the principal user.
`event.idm.read_only_udm.principal.user.user_display_name`	`principal.user.user_display_name`	Display name of the principal user.
`event.idm.read_only_udm.src.asset.ip`	`src.asset.ip`	IP address of the source asset.
`event.idm.read_only_udm.src.ip`	`src.ip`	IP address of the source.
`event.idm.read_only_udm.src.port`	`src.port`	Port of the source.
`event.idm.read_only_udm.target.administrative_domain`	`target.administrative_domain`	Administrative domain of the target.
`event.idm.read_only_udm.target.asset.hostname`	`target.asset.hostname`	Hostname of the target asset.
`event.idm.read_only_udm.target.asset.ip`	`target.asset.ip`	IP address of the target asset.
`event.idm.read_only_udm.target.file.mime_type`	`target.file.mime_type`	MIME type of the target file.
`event.idm.read_only_udm.target.file.md5`	`target.file.md5`	MD5 hash of the target file.
`event.idm.read_only_udm.target.file.sha1`	`target.file.sha1`	SHA1 hash of the target file.
`event.idm.read_only_udm.target.file.sha256`	`target.file.sha256`	SHA256 hash of the target file.
`event.idm.read_only_udm.target.file.size`	`target.file.size`	Size of the target file.
`event.idm.read_only_udm.target.hostname`	`target.hostname`	Hostname of the target.
`event.idm.read_only_udm.target.ip`	`target.ip`	IP address of the target.
`event.idm.read_only_udm.target.location.country_or_region`	`target.location.country_or_region`	Country or region of the target's location.
`event.idm.read_only_udm.target.port`	`target.port`	Port of the target.
`event.idm.read_only_udm.target.resource.attribute.labels`	`target.resource.attribute.labels`	Labels associated with the target resource.
`event.idm.read_only_udm.target.resource.id`	`target.resource.id`	ID of the target resource.
`event.idm.read_only_udm.target.resource.product_object_id`	`target.resource.product_object_id`	Product object ID of the target resource.
`event.idm.read_only_udm.target.resource.resource_subtype`	`target.resource.resource_subtype`	Resource subtype of the target resource.
`event.idm.read_only_udm.target.url`	`target.url`	URL of the target.
`event.idm.read_only_udm.target.user.email_addresses`	`target.user.email_addresses`	Email addresses of the target user.
`event.idm.read_only_udm.target.user.product_object_id`	`target.user.product_object_id`	Product object ID of the target user.
`event.idm.read_only_udm.security_result.about.file.full_path`	`security_result.about.file.full_path`	Full path of the file involved in the security result.
`event.idm.read_only_udm.security_result.about.labels`	`security_result.about.labels`	Labels associated with the security result.
`event.idm.read_only_udm.security_result.about.resource.attribute.labels`	`security_result.about.resource.attribute.labels`	Labels associated with the resource in the security result.
`event.idm.read_only_udm.security_result.action`	`security_result.action`	Action taken in the security result.
`event.idm.read_only_udm.security_result.detection_fields`	`security_result.detection_fields`	Detection fields in the security result.
`event.idm.read_only_udm.security_result.description`	`security_result.description`	Description of the security result.
`event.idm.read_only_udm.security_result.rule_id`	`security_result.rule_id`	Rule ID of the security result.
`event.idm.read_only_udm.security_result.rule_name`	`security_result.rule_name`	Rule name of the security result.
`event.idm.read_only_udm.security_result.severity`	`security_result.severity`	Severity of the security result.
`event.idm.read_only_udm.security_result.summary`	`security_result.summary`	Summary of the security result.
`event.idm.read_only_udm.security_result.threat_id`	`security_result.threat_id`	Threat ID of the security result.
`event.idm.read_only_udm.security_result.threat_name`	`security_result.threat_name`	Threat name of the security result.
`event.idm.read_only_udm.extensions.auth.type`	`extensions.auth.type`	Authentication type. Set to `MACHINE` for login and logout events.
`event.idm.read_only_udm.about`	`about`	About information.
`event.idm.read_only_udm.additional.fields`	`additional.fields`	Additional fields.
`event.idm.read_only_udm.intermediary`	`intermediary`	Intermediary information.

Need more help? Get answers from Community members and Google SecOps professionals.