Cloudflare is a global network of servers and provides reverse proxy services to improve the security, performance, and reliability of an organization’s web traffic. Panther can collect, normalize, and monitor Cloudflare logs to help you identify suspicious activity in real time. Your normalized data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Panther supports multiple Cloudflare log types, including audit, HTTP request, firewall, and Spectrum logs. Some common SIEM use cases for these log types include:
Panther’s integration for Cloudflare is simple to configure, allowing you to onboard logs in just a few minutes. Simply select Cloudflare from the list of log sources in the Panther console, create an AWS S3 bucket for Cloudflare logs, and configure Cloudflare’s Logpush service to stream logs to the S3 bucket.
For more details on onboarding Cloudflare logs or for supported log schema, you can view our Cloudflare documentation here.
As Panther ingests Cloudflare logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to write detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all of your log sources - not just Cloudflare. You can then use Panther’s various search tools - such as Query Builder, Data Explorer, and Indicator Search - to investigate your normalized logs for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
A number of pre-built detections for Cloudflare are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for Cloudflare logs here.
With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in many SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther generates alerts when your detection rules or policies for Cloudflare are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized by five different severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring Cloudflare logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
You can view our documentation on configuring and monitoring Cloudflare logs here, or customers can sign up for the Panther Community to share best practices or custom detections for Cloudflare logs.
With Panther, your team doesn’t have to pay excessive costs to keep up with the growth of cloud security data, struggle with restrictive detection logic, or waste time and resources on operational overhead. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering flexible detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for Cloudflare, request a demo today.
Identify any suspicious or malicious domain addresses or DNS requests.
Gain complete visibility into your managed endpoints.
Monitor network traffic for signs of suspicious behavior.
Monitor network traffic for attack attempts or probes.
Identify any suspicious traffic or domain activity.
Inspect network traffic and DNS protocols for suspicious activity.
Monitor Nginx access logs and gain complete visibility into web server activity.
Inspect all web activity for signs of suspicious behavior.
