[Cloudflare Logpush] Add support for new fields and Page Shield data stream

[chemamartinez]

Cloudflare has updated most of its event datasets with new fields that the integration doesn't support. Here there is a table with the fields that are missed so far.

Data stream	Fields	Type
dns_firewall	ResponseReason	string
firewall	ContentScanObjResults	array[string]
	ContentScanObjSizes	array[int]
	ContentScanObjTypes	array[string]
	LeakedCredentialCheckResult	string
	MatchIndex	int
	Ref	string
gateway_dns	AccountID	string
	ApplicationName	string
	AuthoritativeNameServerIPs	array[string]
	CNAMECategoryIDs	array[int]
	CNAMECategoryNames	array[string]
	CNAMEs	array[string]
	CNAMEsReversed	array[string]
	CustomResolveDurationMs	int
	CustomResolverAddress	string
	CustomResolverPolicyID (deprecated)	string
	CustomResolverPolicyName (deprecated)	string
	CustomResolverResponse	string
	DoHSubdomain	string
	DoTSubdomain	string
	EDEErrors	array[int]
	InitialCategoryIDs	array[int]
	InitialCategoryNames	array[string]
	IsResponseCached	bool
	MatchedIndicatorFeedIDs	array[int]
	MatchedIndicatorFeedNames	array[string]
	PolicyName	string
	QueryID	string
	QueryIndicatorFeedIDs	array[int]
	QueryIndicatorFeedNames	array[string]
	ResolvedIPCategoryIDs	array[int]
	ResolvedIPCategoryNames	array[string]
	ResolvedIPContinentCodes	array[string]
	ResolvedIPCountryCodes	array[string]
	ResourceRecords	array[object]
	ResourceRecordsJSON	string
	SrcIPContinentCode	string
	SrcIPCountryCode	string
gateway_http	ApplicationIDs	array[int]
	ApplicationNames	array[string]
	CategoryIDs	array[int]
	CategoryNames	array[string]
	DestinationIPContinentCode	string
	DestinationIPCountryCode	string
	DownloadMatchedDlpProfileEntries *	array[string]
	DownloadMatchedDlpProfiles *	array[string]
	ForensicCopyStatus *	string
	PrivateAppAUD *	string
	ProxyEndpoint	string
	Quarantined *	bool
	SessionID	string
	SourceIPContinentCode	string
	SourceIPCountryCode	string
	UploadMatchedDlpProfileEntries *	array[string]
	UploadMatchedDlpProfiles *	array[string]
	VirtualNetworkID	string
	VirtualNetworkName	string
gateway_network	ApplicationIDs	array[int]
	ApplicationNames	array[string]
	CategoryIDs	array[int]
	CategoryNames	array[string]
	DestinationIPContinentCode	string
	DestinationIPCountryCode	string
	DetectedProtocol	string
	ProxyEndpoint	string
	SourceIPContinentCode	string
	SourceIPCountryCode	string
	TransportProtocol	string
	VirtualNetworkID	string
	VirtualNetworkName	string
http_request	BotDetectionTags	array[string]
	CacheReserveUsed	bool
	ClientCity	string
	ClientLatitude	string
	ClientLongitude	string
	ClientRegionCode	string
	ContentScanObjResults	array[string]
	ContentScanObjSizes	array[int]
	ContentScanObjTypes	array[string]
	LeakedCredentialCheckResult	string
network_analytics	AttackVector	string
	ColoCity	string
	ColoCode	string
	DestinationASNName	string
	IPTTL	int
	IPTTLBuckets	int
	IPv4DSCP	int
	IPv4ECN	int
	IPv6DSCP	int
	IPv6ECN	int
	RuleName	string
	SourceASNName	string
	TCPMSS	int
	TCPSACKBlocks	string
	TCPSACKPermitted	int
	TCPTimestampECR	int
network_session	DetectedProtocol	string
workers_trace	Entrypoint	string
	ScriptVersion	object

Reference: https://developers.cloudflare.com/logs/reference/log-fields/

Also new datasets have been added:

• Page Shield
• DLP Forensic Copies
• Email Security Alerts

Data stream	Fields	Type
page_shield_events	Action	string
	CSPDirective	string
	Host	string
	PageURL	string
	PolicyID	string
	ResourceType	string
	Timestamp	int or string
	URL	string
	URLContainsCDNCGIPath (deprecated)	bool
	URLHost	string
dlp_forensic_copies	AccountID	string
	Datetime	int or string
	ForensicCopyID	string
	GatewayRequestID	string
	Headers	object
	Payload	string
	Phase	string
	TriggeredRuleID	string
email_security_alerts	AlertID	string
	AlertReasons	array[string]
	Attachments	array[object]
	CC	array[string]
	CCName	array[string]
	FinalDisposition	string
	From	string
	FromName	string
	Links	array[string]
	MessageDeliveryMode	string
	MessageID	string
	Origin	string
	OriginalSender	string
	ReplyTo	string
	ReplyToName	string
	SMTPEnvelopeFrom	string
	SMTPEnvelopeTo	array[string]
	SMTPHeloServerIP	string
	SMTPHeloServerIPAsName	string
	SMTPHeloServerIPAsNumber	string
	SMTPHeloServerIPGeo	string
	SMTPHeloServerName	string
	Subject	string
	ThreatCategories	array[string]
	Timestamp	int or sting
	To	array[string]
	ToName	array[string]

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[chemamartinez]

Apart from adding support for these new fields, we could consider changing the logic of the pipelines. Now, only known fields are being copied into a root field cloudflare_logpush.dataset and the remaining JSON is dropped, so unknown fields are discarded.

As Cloudflare is continuously updating datasets with new fields, we could keep these fields in a custom flattened field so that at least they are dynamically mapped.

Once new fields are added we could also revisit the dashboards in case it is interesting to include visualizations for the new fields.

[efd6]

@chemamartinez Do we have access to examples for these data streams?

[chemamartinez]

Unfortunately, I don't have any examples of these data streams or new fields, apart from the official docs.

[chooko]

We have an interest in ingesting the page_shield_events into our Elastic instance with this integration.

PR #12782 shows that it will close this issue once merged, but I couldn't see anything in that PR to indicate that Page Shield events will be parsed. Perhaps I missed something though?

[efd6]

@chooko That PR is a draft. Currently I have no sample data to test against, so it cannot be merged. If someone were to make sample data available that could be included in the test data, that would push things forward.