← Back
Cloudflare
Cloudflare Log Explorer adds 14 datasets for investigating multi-vector attacks
Cloudflare · releasefeaturesecurityplatform · blog.cloudflare.com ↗

Unified Visibility Across Attack Surfaces

Cloudflare has significantly expanded Log Explorer with 14 new logging datasets, providing security teams with comprehensive visibility across the entire Cloudflare edge network. By integrating logs from application-layer, network-layer, and identity/access components, organizations can now conduct rapid, deep-dive forensics on sophisticated multi-vector attacks in a single unified interface.

New Log Types Available

Zone-Scoped Datasets

The expansion includes critical zone-level logs for investigating website traffic and security events:

  • HTTP Requests: Complete application-layer traffic records for reconstructing session activity and exploit attempts
  • Firewall Events: Evidence of blocked threats, including specific WAF rules and IP reputation matches
  • DNS Logs: Detection of cache poisoning, domain hijacking, and infrastructure reconnaissance
  • NEL Reports: Browser-level error tracking to distinguish DDoS attacks from legitimate network issues
  • Spectrum Events: L4 visibility into non-web protocols (TCP/UDP) for attacks against SSH, RDP, and custom services
  • Page Shield: Auditing of client-side JavaScript changes and unauthorized outbound connections
  • Zaraz Events: Monitoring of third-party tools and trackers for privacy compliance and unauthorized script detection

Account-Scoped Datasets

New account-level logs provide security operations teams deeper insight into Zero Trust, administrative changes, and network activity:

  • Access Requests: Identity-based authentication event tracking
  • Audit Logs: Configuration change trails for unauthorized administrative actions
  • CASB Findings: SaaS application security misconfigurations
  • Magic Transit/IPSec Logs: Layer 3 network monitoring and tunnel health
  • Browser Isolation Logs: Tracking of user actions in isolated browser sessions
  • Device Posture Results: Security health and compliance status of connecting devices
  • DEX Tests & Events: Application performance monitoring and device state telemetry
  • DNS Firewall/Gateway DNS: Malicious domain and C2 communication detection
  • Email Security Alerts: Phishing and malicious email tracking
  • Gateway HTTP/Network: Encrypted traffic inspection and L3/L4 anomaly detection
  • Magic IDS Detections: Intrusion detection signature matches
  • Network Analytics: Packet-level DDoS and traffic spike identification
  • Sinkhole HTTP Logs: Botnet infrastructure communication detection
  • WARP Config/Toggle Changes: Client-side security agent tamper detection
  • Zero Trust Network Sessions: Authenticated session lifecycle mapping

Key Use Cases

The expanded Log Explorer enables security analysts to correlate telemetry across multiple attack vectors to unmask sophisticated, multi-layered attacks. By integrating data from HTTP requests, network-layer DDoS and Firewall logs, and Zero Trust access events, teams can significantly reduce Mean Time to Detect (MTTD) and investigate attacks that span application, network, and identity layers simultaneously.