Sentinel
Cloudflare has integrations with Microsoft Sentinel to make analyzing your Cloudflare data easier and in a centralized space. Cloudflare has two versions of this connector available. We recommend utilizing the latest Codeless Connector integration as it provides easier setup, cost management, and integrates with Sentinel Data Lake ↗.
Sentinel CCF Solution (recommended): The Codeless Connector Framework (CCF) provides partners, advanced users, and developers the ability to create custom connectors for ingesting data to Microsoft Sentinel.
Sentinel Function Based Connector ↗: The Cloudflare connector for Microsoft Sentinel uses Azure Functions ↗ to process security logs from Cloudflare's Logpush service and ingest them directly into the SIEM platform.
This guide provides clear, step-by-step instructions for integrating Cloudflare logs with the new CCF connector for Microsoft Sentinel using Azure Blob Storage. By following these steps, you will be able to securely collect, store, and analyse your Cloudflare logs within Microsoft Sentinel, enhancing your organisation's security monitoring and incident response capabilities.
- Azure Subscription with permission to create and manage resources (Contributor/Owner role recommended).
- Microsoft Sentinel Workspace already set up in your Azure environment.
- Azure Storage Account with a Blob container for storing Cloudflare logs.
- Cloudflare Account with access to the domain whose logs you wish to export, and permission to configure Logpush jobs.
-
Log in to the Cloudflare dashboard ↗, and select your account and domain.
-
Go to Analytics > Logs and select Logpush.
-
Select Create Logpush Job. Choose the log type you want to export (for example, HTTP requests).
-
For the destination, select Azure Blob Storage.
-
Enter your Azure Blob Storage details:
- SAS Token (Shared Access Signature)
To generate a SAS token from the Azure portal, first navigate to your storage account. Under the Data Storage section, select Containers and choose the relevant container. Within the settings, locate and select Shared access signature. Configure the required permissions, such as
writeandcreate, and specify the start and expiration dates for the token. Once configured, generate the SAS token accordingly. -
Save and activate the Logpush job.
For complete details, refer to the Cloudflare Logpush to Azure documentation.
- Log in to the Azure Portal and go to your Microsoft Sentinel workspace.
- Select Content Hub in the navigation bar and search for Cloudflare.
- Select the Cloudflare solution from the results.
- Select Install in the right pane.
- In your Sentinel workspace, go to Data connectors.
- Search for the Cloudflare connector (may appear as Cloudflare (using Azure Blob Storage)).
- Selecte the connector to configure it.
When configuring the Cloudflare data connector, you will need to provide the following information:
- Blob container URL
To obtain the container URL within your Azure storage account, access the Azure Portal and navigate to your storage account. Under Data Storage, select Containers, then choose the relevant container receiving logs from Cloudflare. The container properties section will display the URL link.
- Resource group name for the storage account
- Storage account location
- Subscription ID
- Event grid topic name (only if reconfiguring; not needed for initial setup)
After entering all information, select Connect.
Ensure all fields are correctly filled to enable seamless log ingestion.
- Select Apply changes or Connect to finalise the connector setup.
- Monitor the Data connectors page in Sentinel to confirm that the Cloudflare connector status is Connected.
- Verify that Cloudflare logs are appearing in your Sentinel workspace under Log Analytics > Logs.
- If logs are not appearing, review your Blob Storage permissions, Cloudflare Logpush configuration, and Sentinel connector settings.
By following these steps, you have successfully integrated Cloudflare logs with Microsoft Sentinel using Azure Blob Storage. This integration enables advanced security analytics and incident response capabilities for your Cloudflare-protected environments. If you encounter issues, review each configuration step, check permissions, and review Microsoft's official documentation.
We support the following fields to be utilized within the Sentinel Connectors (CCF & Function based). You can push all log fields to Azure using our logpush function as described in Enable Microsoft Azure documentation.
Parser fields
ClientDeviceType
Source
ClientSSLCipher
ClientTlsCipher
ClientSSLProtocol
ClientTlsProtocol
FirewallMatchesActions
Event
FirewallMatchesRuleIDs
RuleID
ClientRequestBytes
ClientBytes
ClientSrcPort
ClientPort
EdgeResponseBytes
OriginBytes
BotScore
BotScoreSrc
CacheCacheStatus
CacheResponseBytes
CacheResponseStatus
CacheTieredFill
ClientASN
ClientCountry
ClientIP
ClientIPClass
ClientRequestHost
ClientRequestMethod
ClientRequestPath
ClientRequestProtocol
ClientRequestReferer
ClientRequestURI
ClientRequestUserAgent
ClientXRequestedWith
EdgeColoCode
EdgeColoID
EdgeEndTimestamp
EdgePathingOp
EdgePathingSrc
EdgePathingStatus
EdgeRateLimitAction
EdgeRateLimitID
EdgeRequestHost
EdgeResponseCompressionRatio
EdgeResponseContentType
EdgeResponseStatus
EdgeServerIP
EdgeStartTimestamp
FirewallMatchesSources
OriginIP
OriginResponseBytes
OriginResponseHTTPExpires
OriginResponseHTTPLastModified
OriginResponseStatus
OriginResponseTime
OriginSSLProtocol
ParentRayID
RayID
SecurityLevel
WAFAction
WAFFlags
WAFMatchedVar
WAFProfile
WAFRuleID
WAFRuleMessage
WorkerCPUTime
WorkerStatus
WorkerSubrequest
WorkerSubrequestCount
ZoneID
Application
ClientMatchedIpFirewall
ClientProto
ClientTcpRtt
ClientTlsClientHelloServerName
ClientTlsStatus
ColoCode
ConnectTimestamp
DisconnectTimestamp
IpFirewall
OriginPort
OriginProto
OriginTcpRtt
OriginTlsCipher
OriginTlsFingerprint
OriginTlsMode
OriginTlsProtocol
OriginTlsStatus
ProxyProtocol
Status
Timestamp
ClientASNDescription
ClientRefererHost
ClientRefererPath
ClientRefererQuery
ClientRefererScheme
ClientRequestQuery
ClientRequestScheme
Datetime
Kind
MatchIndex
OriginatorRayID
TimeGenerated
WorkBook fields
ClientCountry_s
ClientDeviceType_s
ClientIP_s
ClientIPClass_s
ClientRequestMethod_s
ClientRequestProtocol_s
ClientRequestReferer_s
ClientRequestURI_s
ClientRequestUserAgent_s
EdgePathingOp_s
EdgePathingSrc_s
EdgePathingStatus_s
EdgeResponseContentType_s
threat
TimeGenerated
EdgePathingSrc_s
EdgePathingOp_s
EdgePathingStatus_s
EdgeResponseStatus_d
OriginResponseStatus_d
TimeGenerated
Analytic rules
ClientIPClass
SrcIpAddr
ClientRequestURI
HttpUserAgentOriginal
HttpRequestMethod
TimeGenerated
SrcGeoCountry
ClientRequestURI
HttpRequestMethod
HttpStatusCode
DstBytes
SrcBytes
WAFRuleID
WAFRuleMessage
WAFAction
Hunting queries
TimeGenerated
HttpStatusCode
SrcIpAddr
ClientRequestURI
ClientTlsStatus
HttpUserAgentOriginal
OriginTlsStatus
NetworkRuleName
EdgeRequestHost
SrcGeoCountry
EdgeResponseStatus
ClientCountry
ClientDeviceType
status
OriginResponseStatus
WorkerSubrequest
http_method
dest_ip
dest_host
uri_path
http_user_agent
status
src_ip
OriginResponseStatus
RayID
WorkerSubrequest
http_method
bytes_out
bytes_cached_requests
threat
ClientRequestProtocol
http_referrer
ClientIPClass
cf_http_status_codes
http_content_type
cf_http_status_codes
cached_requests
CacheCacheStatus
ClientASN
EdgePathingSrc
EdgePathingOp
EdgePathingStatus
ClientRequestUserAgent
SecurityAction
SecurityRuleID
SecurityRuleDescription
Download Cloudflare's CCF Sentinel Solution
Microsoft Data Lake Overview ↗
About the CCF Platform ↗
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark