Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
typeflat

Introduction

Tags beginning with authcdn.rsacloudflare identify events generated by RSA SecurID Cloudfare.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as authcdn.rsacloudfare. The third level identifies the type of events sent, and the fourth level indicates the event subtype. 

...

Technology

...

Brand

...

...

Subtype

...

auth

...

rsa

...

  • secureid

...

  • system

  • runtime

  • admin

  • trace

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Product / Service

Tags

Data

table

auth.rsa.secureid.system

auth.rsa.secureid.system

auth.rsa.secureid.runtime

auth.rsa.secureid.runtime

auth.rsa.secureid.admin

auth.rsa.secureid.admin

auth.rsa.secureid.trace

auth.rsa.secureid.trace

Table structure

This is the set displayed by these tables.

...

Rw tab
titleTable 1-2

...

tables

Cloudflare

cdn.cloudflare.audit.events

cdn.cloudflare.audit.events

cdn.cloudflare.firewall.samples

cdn.cloudflare.firewall.samples

cdn.cloudflare.waf.events

cdn.cloudflare.waf.events

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

Anchor
tag1
tag1
cdn.cloudflare.audit.events

Field

Type

Extra

...

fields

eventdate

timestamp

...

-

...

machine

...

str

...

-

...

server_date

...

timestamp

...

-

...

hostname

...

str

...

-

...

category

...

str

...

-

...

log_level

...

str

...

-

...

event_id

...

str

...

-

...

server_instance

...

str

...

-

...

client_ip

...

ip4

...

-

...

server_ip

...

ip4

...

-

...

action

...

str

...

-

...

action_id

...

str

...

-

...

result

...

str

...

-

...

reason

...

str

...

-

...

session_id

...

str

...

-

...

user_id

...

str

...

-

...

user_identity_source_id

...

str

...

-

...

user_security_domain_id

...

str

...

-

...

user_login_name

...

str

...

-

...

user_first_name

...

str

...

-

...

user_last_name

...

str

...

-

...

arg_1

...

str

...

-

...

arg_2

...

str

...

-

...

arg_3

...

str

...

-

...

arg_4

...

str

...

-

...

arg_5

...

str

...

-

...

arg_6

...

str

...

-

...

cause

...

str

...

-

...

hostchain

...

str

...

...

tag

...

str

...

...

rawMessage

...

str

...

-

...

Field

...

Type

...

Extra Label

...

eventdate

...

timestamp

...

-

...

machine

...

str

...

-

...

server_date

...

timestamp

...

-

...

hostname

...

str

...

-

...

category

...

str

...

-

...

log_level

...

str

...

-

...

event_id

...

str

...

-

...

server_instance

...

str

...

-

...

client_ip

...

ip4

...

-

...

server_ip

...

ip4

...

-

...

action

...

str

...

-

...

action_id

...

str

...

-

...

result

...

str

...

-

...

reason

...

str

...

-

...

session_id

...

str

...

-

...

user_id

...

str

...

-

...

user_identity_source_id

...

str

...

-

...

user_security_domain_id

...

str

...

-

...

user_login_name

...

str

...

-

...

user_first_name

...

str

...

-

...

user_last_name

...

str

...

-

...

agent_id

...

str

...

-

...

agent_security_domain_id

...

str

...

-

...

agent_address

...

ip4

...

-

...

agent_name

...

str

...

-

...

agent_type

...

str

...

-

...

policy_method_id

...

str

...

-

...

policy_method_name

...

str

...

-

...

policy_id

...

str

...

-

...

policy_expression

...

str

...

-

...

arg1

...

str

...

-

...

arg2

...

str

...

-

...

arg3

...

str

...

-

...

arg4

...

str

...

-

...

arg5

...

str

...

-

...

arg6

...

str

...

-

...

arg7

...

str

...

-

...

arg8

...

str

...

-

...

arg9

...

str

...

-

...

arg10

...

str

...

-

...

more_args

...

str

...

-

...

hostchain

...

str

...

...

tag

...

str

...

...

rawMessage

...

str

...

hostname

str

ENTITY_ID

str

id

str

action__info

str

action__type

str

action__result

bool

actor__id

str

actor__email

str

actor__type

str

actor__ip

ip4

newValue

str

oldValue

str

owner__id

str

resource__id

str

resource__type

str

interface

str

metadata__zone_name

str

metadata__zone_tag

str

metadata__type

str

metadata__name

str

metadata__value

str

when

timestamp

hostchain

str

tag

str

rawMessage

str

Anchor
tag2
tag2
cdn.cloudflare.firewall.samples

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

zone_tag

str

 

 

action

str

 

 

clientASN

str

 

 

clientASNDescription

str

 

 

clientCountryName

str

 

 

clientIP

str

 

 

clientIP4

ip4

Code Block
ip4(clientIP)

clientIP

clientIP_v6

ip6

Code Block
ifthenelse(isnull(clientIP4) and not isnull(clientIP), ip6(clientIP), null)

clientIP

clientIP4

clientIPClass

str

 

 

clientRefererHost

str

 

 

clientRefererPath

str

 

 

clientRefererQuery

str

 

 

clientRefererScheme

str

 

 

clientRequestHTTPHost

str

 

 

clientRequestHTTPMethodName

str

 

 

clientRequestHTTPProtocol

str

 

 

clientRequestPath

str

 

 

clientRequestQuery

str

 

 

clientRequestScheme

str

 

 

datetime

timestamp

 

 

edgeColoName

str

 

 

edgeResponseStatus

int4

 

 

kind

str

 

 

matchIndex

int4

 

 

originResponseStatus

int4

 

 

originatorRayName

str

 

 

rayName

str

 

 

ruleId

str

 

 

source

str

 

 

userAgent

str

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
tag3
tag3
cdn.cloudflare.waf.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

zone_tag

str

 

 

ClientASN

int4

 

 

ClientCountry

str

 

 

ClientDeviceType

str

 

 

ClientIP

ip4

 

 

ClientIPClass

str

 

 

ClientRequestBytes

int4

 

 

ClientRequestHost

str

 

 

ClientRequestMethod

str

 

 

ClientRequestPath

str

 

 

ClientRequestProtocol

str

 

 

ClientRequestReferer

str

 

 

ClientRequestURI

str

 

 

ClientRequestUserAgent

str

 

 

ClientSSLCipher

str

 

 

ClientSSLProtocol

str

 

 

ClientSrcPort

int4

 

 

ClientXRequestedWith

str

 

 

Description

str

 

 

EdgeColoCode

str

 

 

EdgeColoID

int4

 

 

EdgeEndTimestamp

int8

 

 

EdgePathingOp

str

 

 

EdgePathingSrc

str

 

 

EdgePathingStatus

str

 

 

EdgeRateLimitAction

str

 

 

EdgeRateLimitID

int4

 

 

EdgeRequestHost

str

 

 

EdgeResponseBytes

int4

 

 

EdgeResponseCompressionRatio

float8

 

 

EdgeResponseContentType

str

 

 

EdgeResponseStatus

int4

 

 

EdgeServerIP

str

 

 

FirewallMatchesActions_str

str

Code Block
join(FirewallMatchesActions, ',')

FirewallMatchesActions

FirewallMatchesRuleIDs_str

str

Code Block
join(FirewallMatchesRuleIDs, ',')

FirewallMatchesRuleIDs

FirewallMatchesSources_str

str

Code Block
join(FirewallMatchesSources, ',')

FirewallMatchesSources

OriginIP

str

 

 

OriginResponseBytes

int4

 

 

OriginResponseHTTPExpires

str

 

 

OriginResponseHTTPLastModified

str

 

 

OriginResponseStatus

int4

 

 

OriginResponseTime

int4

 

 

OriginSSLProtocol

str

 

 

ParentRayID

str

 

 

RayID

str

 

 

Ref

str

 

 

SecurityLevel

str

 

 

WAFAction

str

 

 

WAFFlags

str

 

 

WAFMatchedVar

str

 

 

WAFProfile

str

 

 

WAFRuleID

str

 

 

WAFRuleMessage

str

 

 

ZoneID

int8

 

 

at_devo_collector_version

int4

 

 

at_devo_source_id

str

 

 

at_devo_project_id

str

 

 

at_devo_retrieving_timestamp

timestamp

 

 

hostchain

str

 

 

tag

str

 

 

rawMessage

str