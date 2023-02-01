2023-02-01 - Updates to security fields in Cloudflare Logs
Cloudflare will deploy some updates to security-related fields in Cloudflare Logs. These updates will affect the following datasets:
Timeline
To minimize possible impacts on our customers' existing Security Information and Event Management (SIEM) configurations, these updates will happen in two phases according to the following timeline:
Phase 1 (starting on February 1, 2023)
For the log fields being added, they will start becoming available from February 1, 2023 onwards.
For the log fields being renamed, Cloudflare will:
- Add new fields with the same data as the fields that will be removed on phase 2 (described in this document as old fields). Refer to the next sections for details.
- Announce the deprecation of the old fields. These fields will be removed from logs datasets on August 1, 2023, giving you a six-month period to adapt.
For the logs fields being removed because they no longer apply, Cloudflare will announce their deprecation. These fields will also be removed from logs datasets on August 1, 2023.
In addition to these Cloudflare Logs changes, Cloudflare will also add new security-related fields to the following GraphQL datasets:
httpRequestsAdaptive
httpRequestsAdaptiveGroups
firewallEventsAdaptive
firewallEventsAdaptiveGroups
firewallEventsAdaptiveByTimeGroups
Phase 2 (August 1, 2023)
For the log fields being renamed, Cloudflare will remove the old fields from the Cloudflare logs datasets. From August 1, 2023 onwards, only the new fields will be available.
For the log fields being removed because they no longer apply, Cloudflare will also remove them from the Cloudflare logs datasets. From August 1, 2023 onwards, these fields will no longer be available.
Concepts
The following concepts are used below in the reviewed field descriptions:
Terminating action: One of the following actions:
block
js_challenge
managed_challenge
challenge(Legacy CAPTCHA)
For more information on these actions, refer to the Actions reference in the Rules language documentation.
Security rule: One of the following rule types:
HTTP Requests dataset changes
The following fields will be renamed in the HTTP Requests dataset according to the two-phase strategy outlined in the timeline:
|New field name
(starting Feb 1, 2023)
|Type
|Description
|Old field name
(removed on Aug 1, 2023)
SecurityRuleID
|String
|Rule ID of the security rule that triggered a terminating action, if any.
WAFRuleID
SecurityRuleDescription
|String
|Rule description of the security rule that triggered a terminating action, if any.
WAFRuleMessage
SecurityAction
|String
|Rule action of the security rule that triggered a terminating action, if any.
WAFAction
SecurityRuleIDs
|String Array
|Array of security rule IDs that matched the request.
FirewallMatchesRuleIDs
SecurityActions
|String Array
|Array of actions that Cloudflare security products performed on this request.
FirewallMatchesActions
SecuritySources
|String Array
|Array of Cloudflare security products that matched the request.
FirewallMatchesSources
The following fields are now deprecated and they will be removed from the HTTP Requests dataset on August 1, 2023:
|Deprecated field name
|Notes
WAFProfile
|Used in the previous version of WAF managed rules (now deprecated).
EdgeRateLimitAction
|Used in the previous version of rate limiting rules (now deprecated).
EdgeRateLimitID
|Used in the previous version of rate limiting rules (now deprecated).
SecurityLevel
|N/A
Firewall Events dataset changes
The following fields will be added to the Firewall Events dataset:
|Field name
|Type
|Description
Description
|String
|Rule description for this event.
Ref
|String
|User-defined rule reference for this event.
Changes to GraphQL datasets
Cloudflare will add the following fields to the
httpRequestsAdaptive and
httpRequestsAdaptiveGroups datasets:
|Field name
|Type
|Description
securityAction
|String
|Action of the security rule that triggered a terminating action, if any.
securitySource
|String
|Source of the security rule that triggered a terminating action, if any.
Cloudflare will also add the following field to the
firewallEventsAdaptive,
firewallEventsAdaptiveGroups, and
firewallEventsAdaptiveByTimeGroups datasets:
|Field name
|Type
|Description
description
|String
|Rule description for this event.
These new fields will become gradually available.
For more information on the available datasets, refer to GraphQL datasets.
Update your SIEM systems
You may need to update external filters or reports in your SIEM systems to reflect the renamed, added, or removed log fields.