On this planet of cybersecurity, a single information level isn’t the entire story. Trendy attackers don’t simply knock on the entrance door; they probe your APIs, flood your community with “noise” to distract your workforce, and try to slip by way of purposes and servers utilizing stolen credentials.
To cease these multi-vector assaults, you want the complete image. By utilizing Cloudflare Log Explorer to conduct safety forensics, you get 360-degree visibility by way of the combination of 14 new datasets, overlaying the complete floor of Cloudflare’s Software Companies and Cloudflare One product portfolios. By correlating telemetry from application-layer HTTP requests, network-layer DDoS and Firewall logs, and Zero Belief Entry occasions, safety analysts can considerably scale back Imply Time to Detect (MTTD) and successfully unmask subtle, multi-layered assaults.
Learn on to study extra about how Log Explorer offers safety groups the final word panorama for speedy, deep-dive forensics.
The flight recorder on your total stack
The up to date digital panorama requires deep, correlated telemetry to defend towards adversaries utilizing a number of assault vectors. Uncooked logs function the “flight recorder” for an utility, capturing each single interplay, assault try, and efficiency bottleneck. And since Cloudflare sits on the edge, between your customers and your servers, all of those occasions are logged earlier than the requests even attain your infrastructure.
Cloudflare Log Explorer centralizes these logs right into a unified interface for speedy investigation.
Focus: Web site site visitors, safety occasions, and edge efficiency.
HTTP Requests | As essentially the most complete dataset, it serves because the “primary record” of all application-layer site visitors, enabling the reconstruction of session exercise, exploit makes an attempt, and bot patterns. |
Firewall Occasions | Offers vital proof of blocked or challenged threats, permitting analysts to determine the particular WAF guidelines, IP reputations, or customized filters that intercepted an assault. |
DNS Logs | Determine cache poisoning makes an attempt, area hijacking, and infrastructure-level reconnaissance by monitoring each question resolved on the authoritative edge. |
NEL (Community Error Logging) Stories | Distinguish between a coordinated Layer 7 DDoS assault and legit community connectivity points by monitoring client-side browser errors. |
Spectrum Occasions | For non-web purposes, these logs present visibility into L4 site visitors (TCP/UDP), serving to to determine anomalies or brute-force assaults towards protocols like SSH, RDP, or customized gaming site visitors. |
Web page Defend | Monitor and audit unauthorized adjustments to your website’s client-side surroundings akin to JavaScript, outbound connections. |
Zaraz Occasions | Study how third-party instruments and trackers are interacting with person information, which is significant for auditing privateness compliance and detecting unauthorized script behaviors. |
Focus: Inner safety, Zero Belief, administrative adjustments, and community exercise.
Entry Requests | Tracks identity-based authentication occasions to find out which customers accessed particular inner purposes and whether or not these makes an attempt had been licensed. |
Audit Logs | Offers a path of configuration adjustments throughout the Cloudflare dashboard to determine unauthorized administrative actions or modifications. |
CASB Findings | Identifies safety misconfigurations and information dangers inside SaaS purposes (like Google Drive or Microsoft 365) to forestall unauthorized information publicity. |
Magic Transit / IPSec Logs | Helps community engineers carry out network-level (L3) monitoring akin to reviewing tunnel well being and think about BGP routing adjustments. |
Browser Isolation Logs | Tracks person actions inside an remoted browser session (e.g., copy-paste, print, or file uploads) to forestall information leaks on untrusted websites |
Gadget Posture Outcomes | Particulars the safety well being and compliance standing of gadgets connecting to your community, serving to to determine compromised or non-compliant endpoints. |
DEX Software Exams | Screens utility efficiency from the person’s perspective, which may also help distinguish between a security-related outage and an ordinary efficiency degradation. |
DEX Gadget State Occasions | Offers telemetry on the bodily state of person gadgets, helpful for correlating {hardware} or OS-level anomalies with potential safety incidents. |
DNS Firewall Logs | Tracks DNS queries filtered by way of the DNS Firewall to determine communication with identified malicious domains or command-and-control (C2) servers. |
E mail Safety Alerts | Logs malicious e mail exercise and phishing makes an attempt detected on the gateway to hint the origin of email-based entry vectors. |
Gateway DNS | Screens each DNS question made by customers in your community to determine shadow IT, malware callbacks, or domain-generation algorithms (DGAs). |
Gateway HTTP | Offers full visibility into encrypted and unencrypted internet site visitors to detect hidden payloads, malicious file downloads, or unauthorized SaaS utilization. |
Gateway Community | Tracks L3/L4 community site visitors (non-HTTP) to determine unauthorized port utilization, protocol anomalies, or lateral motion throughout the community. |
IPSec Logs | Screens the standing and site visitors of encrypted site-to-site tunnels to make sure the integrity and availability of safe community connections. |
Magic IDS Detections | Surfaces matches towards intrusion detection signatures to alert investigators to identified exploit patterns or malware habits traversing the community. |
Community Analytics Logs | Offers high-level visibility into packet-level information to determine volumetric DDoS assaults or uncommon site visitors spikes focusing on particular infrastructure. |
Sinkhole HTTP Logs | Captures site visitors directed to “sinkholed” IP addresses to substantiate which inner gadgets are trying to speak with identified botnet infrastructure. |
WARP Config Modifications | Tracks modifications to the WARP consumer settings on end-user gadgets to make sure that safety brokers have not been tampered with or disabled. |
WARP Toggle Modifications | Particularly logs when customers allow or disable their safe connectivity, serving to to determine durations the place a tool could have been unprotected. |
Zero Belief Community Session Logs | Logs the length and standing of authenticated person periods to map out the entire lifecycle of a person’s entry throughout the protected perimeter. |
Log Explorer can determine malicious exercise at each stage
Get granular utility layer visibility with HTTP Requests, Firewall Occasions, and DNS logs to see precisely how site visitors is hitting your public-facing properties. Monitor inner motion with Entry Requests, Gateway logs, and Audit logs. If a credential is compromised, you’ll see the place they went. Use Magic IDS and Community Analytics logs to identify volumetric assaults and “East-West” lateral motion inside your personal community.
Determine the reconnaissance
Attackers use scanners and different instruments to search for entry factors, hidden directories, or software program vulnerabilities. To determine this, utilizing Log Explorer, you possibly can question http_requests for any EdgeResponseStatus codes of 401, 403, or 404 coming from a single IP, or requests to delicate paths (e.g. /.env, /.git, /wp-admin).
Moreover, magic_ids_detections logs may also be used to determine scanning on the community layer. These logs present packet-level visibility into threats focusing on your community. In contrast to normal HTTP logs, these logs give attention to signature-based detections on the community and transport layers (IP, TCP, UDP). Question to find instances the place a single SourceIP is triggering a number of distinctive detections throughout a variety of DestinationPort values in a brief timeframe. Magic IDS signatures can particularly flag actions like Nmap scans or SYN stealth scans.
Whereas the attacker is conducting reconnaissance, they could try and disguise this with a simultaneous community flood. Pivot to network_analytics_logs to see if a volumetric assault is getting used as a smokescreen.
As soon as attackers determine a possible vulnerability, they start to craft their weapon. The attacker sends malicious payloads (e.g. SQL injection or giant/corrupt file uploads) to substantiate the vulnerability. Assessment http_requests and/or fw_events to determine any Cloudflare detection instruments which have triggered. Cloudflare logs safety indicators in these datasets to simply determine requests with malicious payloads utilizing fields akin to WAFAttackScore, WAFSQLiAttackScore, FraudAttack, ContentScanJobResults, and several other extra. Assessment our documentation to get a full understanding of those fields. The fw_events logs can be utilized to find out whether or not these requests made it previous Cloudflare’s defenses by inspecting the motion, supply, and ruleID fields. Cloudflare’s managed guidelines by default blocks many of those payloads by default. Assessment Software Safety Overview to know in case your utility is protected.
Displaying the Managed guidelines Perception that shows on Safety Overview if the present zone doesn’t have Managed Guidelines enabled
Did that suspicious IP handle to log in? Use the ClientIP to look access_requests. When you see a “Decision: Allow” for a delicate inner app, you understand you’ve gotten a compromised account.
Cease the leak (information exfiltration)
Attackers generally use DNS tunneling to bypass firewalls by encoding delicate information (like passwords or SSH keys) into DNS queries. As a substitute of a standard request like google.com, the logs will present lengthy, encoded strings. Search for an unusually excessive quantity of queries for distinctive, lengthy, and high-entropy subdomains by inspecting the fields: QueryName: Search for strings like h3ldo293js92.instance.com, QueryType: Typically makes use of TXT, CNAME, or NULL data to hold the payload, and ClientIP: Determine if a single inner host is producing hundreds of those distinctive requests.
Moreover, attackers could try and leak delicate information by hiding it inside non-standard protocols or by utilizing frequent protocols (like DNS or ICMP) in uncommon methods to bypass normal firewalls. Uncover this by querying the magic_ids_detections logs to search for signatures that flag protocol anomalies, akin to “ICMP tunneling” or “DNS tunneling” detections within the SignatureMessage.
Whether or not you might be investigating a zero-day vulnerability or monitoring a complicated botnet, the info you want is now at your fingertips.
Correlate throughout datasets
Examine malicious exercise throughout a number of datasets by pivoting between a number of concurrent searches. With Log Explorer, now you can work with a number of queries concurrently with the brand new Tabs characteristic. Change between tabs to question completely different datasets or Pivot and modify queries utilizing filtering by way of your question outcomes.
Whenever you correlate information throughout a number of Cloudflare log sources, you possibly can detect subtle multi-stage assaults that seem benign when seen in isolation. This cross-dataset evaluation lets you see the complete assault chain from reconnaissance to exfiltration.
Session hijacking (token theft)
Situation: A person authenticates by way of Cloudflare Entry, however their subsequent HTTP_request site visitors appears to be like like a bot.
Step 1: Determine high-risk periods in http_requests.
SELECT RayID, ClientIP, ClientRequestUserAgent, BotScore
FROM http_requests
WHERE date = '2026-02-22'
AND BotScore < 20
LIMIT 100Step 2: Copy the RayID and search access_requests to see which person account is related to that suspicious bot exercise.
SELECT E mail, IPAddress, Allowed
FROM access_requests
WHERE date = '2026-02-22'
AND RayID = 'INSERT_RAY_ID_HERE'Put up-phishing C2 beaconing
Situation: An worker clicked a hyperlink in a phishing e mail which resulted in compromising their workstation. This workstation sends a DNS question for a identified malicious area, then instantly triggers an IDS alert.
Step 1: Discover phishing assaults by inspecting email_security_alerts for violations.
SELECT Timestamp, Threatcategories, To, Alertreason
FROM email_security_alerts
WHERE date = '2026-02-22'
AND Threatcategories LIKE 'phishing'Step 2: Use Entry logs to correlate the person’s e mail (To) to their IP Deal with.
SELECT E mail, IPAddress
FROM access_requests
WHERE date = '2026-02-22' Step 3: Discover inner IPs querying a selected malicious area in gateway_dns logs.
SELECT SrcIP, QueryName, DstIP,
FROM gateway_dns
WHERE date = '2026-02-22'
AND SrcIP = 'INSERT_IP_FROM_PREVIOUS_QUERY'
AND QueryName LIKE '%malicious_domain_name%'Lateral motion (Entry → community probing)
Situation: A person logs in by way of Zero Belief after which tries to scan the inner community.
Step 1: Discover profitable logins from sudden places in access_requests.
SELECT IPAddress, E mail, Nation
FROM access_requests
WHERE date = '2026-02-22'
AND Allowed = true
AND Nation != 'US' -- Change together with your HQ nationStep 2: Test if that IPAddress is triggering network-level signatures in magic_ids_detections.
SELECT SignatureMessage, DestinationIP, Protocol
FROM magic_ids_detections
WHERE date = '2026-02-22'
AND SourceIP = 'INSERT_IP_ADDRESS_HERE'Opening doorways for extra information
From the start, Log Explorer was designed with extensibility in thoughts. Each dataset schema is outlined utilizing JSON Schema, a widely-adopted normal for describing the construction and varieties of JSON information. This design resolution has enabled us to simply increase past HTTP Requests and Firewall Occasions to the complete breadth of Cloudflare’s telemetry. The identical schema-driven method that powered our preliminary datasets scaled naturally to accommodate Zero Belief logs, community analytics, e mail safety alerts, and every part in between.
Extra importantly, this standardization opens the door to ingesting information past Cloudflare’s native telemetry. As a result of our ingestion pipeline is schema-driven reasonably than hard-coded, we’re positioned to just accept any structured information that may be expressed in JSON format. For safety groups managing hybrid environments, this implies Log Explorer may ultimately function a single pane of glass, correlating Cloudflare’s edge telemetry with logs from third-party sources, all queryable by way of the identical SQL interface. Whereas at this time’s launch focuses on finishing protection of Cloudflare’s product portfolio, the architectural groundwork is laid for a future the place prospects can carry their very own information sources with customized schemas.
Sooner information, quicker response: architectural upgrades
To analyze a multi-vector assault successfully, timing is every part. A delay of even a couple of minutes within the log availability could be the distinction between proactive protection and reactive harm management.
That’s the reason we now have optimized our ingestion for higher velocity and resilience. By rising concurrency in a single a part of our ingestion path, we now have eradicated bottlenecks that would trigger “noisy neighbor” points, guaranteeing that one consumer’s information surge doesn’t decelerate one other’s visibility. This architectural work has diminished our P99 ingestion latency by roughly 55%, and our P50 by 25%, slicing the time it takes for an occasion on the edge to change into obtainable on your SQL queries.
Grafana chart displaying the drop in ingest latency after architectural upgrades
Comply with alongside for extra updates
We’re simply getting began. We’re actively engaged on much more highly effective options to additional improve your expertise with Log Explorer, together with the power to run these detection queries on a customized outlined schedule.
Design mockup of upcoming Log Explorer Scheduled Queries characteristic
Subscribe to the weblog and preserve an eye fixed out for extra Log Explorer updates quickly in our Change Log.
Get entry to Log Explorer
To get entry to Log Explorer, you should buy self-serve immediately from the sprint or for contract prospects, attain out for a session or contact your account supervisor. Moreover, you possibly can learn extra in our Developer Documentation.
