Table: cloudflare_user_audit_log - Query Cloudflare User Audit Logs using SQL
Cloudflare User Audit Log is a feature within Cloudflare that allows you to monitor and track user activities and changes within your Cloudflare account. It provides a comprehensive and searchable log of all actions performed by users, helping to identify potential security issues and ensure compliance. Cloudflare User Audit Log is an essential tool for maintaining visibility and control over your Cloudflare account.
Table Usage Guide
The cloudflare_user_audit_log
table provides insights into user activities and changes within Cloudflare. As a security analyst, explore detailed logs through this table, including the actions performed, the user who performed them, and the time of the action. Utilize it to monitor user behavior, identify potential security issues, and ensure compliance with security policies.
Examples
Basic info
Explore the recent changes made by users in your Cloudflare account. This query helps you monitor user activity, providing insights into what modifications were made, when, and by whom, enhancing your account's security and accountability.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log l;
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log l;
Get all the users' activities in the last 10 days
Explore the recent activities of all users in the past 10 days. This allows for a comprehensive review of user actions, helping to identify any unusual patterns or potential security concerns.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log lwhere l.when > now() - interval '10' day;
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log lwhere l.when > datetime('now', '-10 day');
Get all the users' activities for a particular timeline
Explore the user activity within a specific timeframe to gain insights into their actions and results. This is beneficial for auditing purposes, understanding user behavior, and identifying any unusual or suspicious activity.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log lwhere l.when > '2023-06-04' and l.when < '2023-06-07';
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log lwhere l.when > '2023-06-04' and l.when < '2023-06-07';
Get all the activities of a particular user
Explore the actions of a specific user to gain insights into their activities and changes made. This can assist in auditing user behavior, identifying potential security risks, and ensuring compliance with company policies.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log lwhere actor_email = 'user@domain.com';
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log lwhere actor_email = 'user@domain.com';
Get all the activities performed on a particular resource
This query allows you to monitor and track all the activities carried out on a specific resource. It is beneficial for auditing purposes, such as identifying unauthorized changes or understanding user behavior.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log lwhere resource ->> 'id' = 'abcd13dcd91e9755b20ea5883fdd59ac';
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log lwhere json_extract(resource, '$.id') = 'abcd13dcd91e9755b20ea5883fdd59ac';
Get all the activities performed on DNS records
Explore the actions performed on DNS records to gain insights into user activity and monitor changes. This can help in identifying unusual behavior or unauthorized modifications, enhancing the security and integrity of your DNS records.
select actor_email, actor_type, l.when, action ->> 'type' as action_type, action ->> 'result' as action_result, jsonb_pretty(new_value_json) as new_value, jsonb_pretty(old_value_json) as old_value, owner_idfrom cloudflare_user_audit_log lwhere resource ->> 'type' = 'DNS_record';
select actor_email, actor_type, l.when, json_extract(action, '$.type') as action_type, json_extract(action, '$.result') as action_result, new_value_json as new_value, old_value_json as old_value, owner_idfrom cloudflare_user_audit_log lwhere json_extract(resource, '$.type') = 'DNS_record';
Schema for cloudflare_user_audit_log
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
action | jsonb | The action that was taken. | |
actor_email | text | = | Email of the actor. |
actor_id | text | Unique identifier of the actor in Cloudflare’s system. | |
actor_ip | text | = | Physical network address of the actor. |
actor_type | text | Type of user that started the audit trail. | |
id | text | = | Unique identifier of an audit log. |
metadata | jsonb | Additional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType. | |
new_value | text | Contains the new value for the audited item. | |
new_value_json | jsonb | Contains the new value for the audited item in JSON format. | |
old_value | text | Contains the old value for the audited item. | |
old_value_json | jsonb | Contains the old value for the audited item in JSON format. | |
owner_id | text | The identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID. | |
resource | jsonb | Target resource the action was performed on. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
user_id | text | =, !=, ~~, ~~*, !~~, !~~* | ID of the current user. |
when | timestamp with time zone | >, >=, <, <=, = | When the change happened. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare
You can pass the configuration to the command with the --config
argument:
steampipe_export_cloudflare --config '<your_config>' cloudflare_user_audit_log