Ctrlk
ProductBook a demoOpen app
linkedinyoutube

Cloudflare WAF

Connect Cloudflare WAF to Radiant Security to forward HTTP request logs and firewall events for AI triage.

Cloudflare WAF is a cloud-delivered web application firewall that protects internet-facing applications from threats such as SQL injection, cross-site scripting, credential stuffing, malicious bots, and DDoS attacks by inspecting and filtering traffic at the network edge. Connecting Cloudflare WAF forwards HTTP request logs and firewall events to Radiant Security via Amazon S3. Radiant uses these logs to correlate external attack attempts against your web applications with downstream identity, endpoint, and authentication signals during AI triage, giving analysts the full attack chain behind every alert.

Prerequisites

Cloudflare Logpush requires a Bucket Policy to allow Cloudflare to write to your bucket. (You generally do not need an Access Key/Secret Key for Cloudflare Logpush if using the recommended Bucket Policy method.)

Configure Cloudflare WAF

Ensure that you have your S3 bucket information at hand. You must configure a Bucket Policy on your S3 bucket to allow Cloudflare to write logs to it. Please refer to Cloudflare's documentation on Enable Amazon S3 for the required JSON policy.

Configure Logpush integration

  1. In the Cloudflare dashboard, go to the Logpush page at the account or domain level you want to monitor (also known as zone).

  2. Depending on your choice, you have access to account-scoped datasets and zone-scoped datasets, respectively.

  3. Select Create a Logpush job.

  4. In Select a destination, choose Amazon S3.

  5. Enter or select the following destination information:

    • Bucket: S3 bucket name

    • Path: Bucket location within the storage container

    • Organize logs into daily subfolders (recommended)

    • Bucket region

    • If your policy requires AWS SSE-S3 AES256 Server Side Encryption ↗.

    • To Grant Cloudflare access to upload files to your bucket, you must apply a bucket policy ↗ (if you did not add it already):

      • Copy the JSON policy displayed on this page, then go to your bucket in the Amazon S3 console and paste the policy in Permissions > Bucket Policy.

      • Click Save.

When you are done entering the destination details, select Continue.

  1. To prove ownership, Cloudflare will send a file to your designated destination. To find the token, select the Open button in the Overview tab of the ownership challenge file, then paste it into the Cloudflare dashboard to verify your access to the bucket. Enter the Ownership Token and select Continue.

  2. Select the dataset to push to the storage service, http_requests or firewall_events . Since each Logpush job only pushes one dataset, setup a second Logpush job if you want both datasets.

  3. In the next step, you need to configure your Logpush job:

    • Enter the Job name.

    • Under If logs match, you can select the events to include and/or remove from your logs. Refer to Filters for more information. Not all datasets have this option available.

    • In Send the following fields, you can choose to either push all logs to your storage destination or selectively choose which logs you want to push.

  4. Advanced Options should be kept as default.

    • Warning: The CVE-2021-44228 redaction option in Cloudflare's Advanced Options replaces ${ with x{. Default is OFF, but if it is ON, Radiant cannot detect Log4Shell-style attacks because the pattern has been mangled at the source.

  5. Select Submit once you are done configuring your Logpush job.

Create and get access to an S3 bucket

Cloudflare uses Amazon Identity and Access Management (IAM) to gain access to your S3 bucket. The Cloudflare IAM user needs the PutObject permission for the bucket.

Logs are written into that bucket as gzipped objects using the S3 Access Control List (ACL) Bucket-owner-full-control permission.

Note: For example, if you want to store logs in the bucket burritobot in the logs directory, the S3 URL would be s3://burritobot/logs

Ensure Log Share permissions are enabled, before attempting to read or configure a Logpush job. For more information refer to the Roles section.

To enable Logpush to Amazon S3:

  1. Create an S3 bucket. Refer to Amazon's "Create an S3 bucket" documentation.

  2. Edit and paste the policy below into S3 > Bucket > Permissions > Bucket Policy.

Note: Replace the Resource value with your own bucket path. The AWS Principal is owned by Cloudflare and should not be changed.

Note: Logpush uses multipart upload for S3. Aborted uploads will result in incomplete files remaining in your bucket. To minimize your storage costs, Amazon recommends configuring a lifecycle rule using the AbortIncompleteMultipartUpload action. Refer to Uploading and copying objects using multipart upload ↗.

Configure S3 bucket for Radiant Security

Now that Cloudflare is configured to send logs to your S3 bucket, you need to configure the bucket to allow Radiant Security to collect the logs.

Follow the Configure Amazon S3 to forward logs to Radiant Security guide to:

  1. Configure a bucket policy to allow Radiant Security read access.

  2. Create and configure an SNS topic for event notifications.

  3. Set up S3 event notifications for the folder prefix(es) you configured in Cloudflare.

  4. Create the Amazon S3 Connector on Radiant Security.

Verify ingestion

After Cloudflare WAF begins forwarding, confirm events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"cloudflare_waf".

  3. Confirm recent events appear.

Allow several minutes for events to be parsed, indexed, and available for search.

PreviousCisco MerakiNextConfigure Amazon S3 to forward logs to Radiant Security

Last updated

Was this helpful?