turbot/cloudflare
steampipe plugin install cloudflare

Table: cloudflare_user_audit_log - Query Cloudflare User Audit Logs using SQL

Cloudflare User Audit Log is a feature within Cloudflare that allows you to monitor and track user activities and changes within your Cloudflare account. It provides a comprehensive and searchable log of all actions performed by users, helping to identify potential security issues and ensure compliance. Cloudflare User Audit Log is an essential tool for maintaining visibility and control over your Cloudflare account.

Table Usage Guide

The cloudflare_user_audit_log table provides insights into user activities and changes within Cloudflare. As a security analyst, explore detailed logs through this table, including the actions performed, the user who performed them, and the time of the action. Utilize it to monitor user behavior, identify potential security issues, and ensure compliance with security policies.

Examples

Basic info

Explore the recent changes made by users in your Cloudflare account. This query helps you monitor user activity, providing insights into what modifications were made, when, and by whom, enhancing your account's security and accountability.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l;
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l;

Get all the users' activities in the last 10 days

Explore the recent activities of all users in the past 10 days. This allows for a comprehensive review of user actions, helping to identify any unusual patterns or potential security concerns.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l
where
l.when > now() - interval '10' day;
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l
where
l.when > datetime('now', '-10 day');

Get all the users' activities for a particular timeline

Explore the user activity within a specific timeframe to gain insights into their actions and results. This is beneficial for auditing purposes, understanding user behavior, and identifying any unusual or suspicious activity.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l
where
l.when > '2023-06-04'
and l.when < '2023-06-07';
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l
where
l.when > '2023-06-04'
and l.when < '2023-06-07';

Get all the activities of a particular user

Explore the actions of a specific user to gain insights into their activities and changes made. This can assist in auditing user behavior, identifying potential security risks, and ensuring compliance with company policies.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l
where
actor_email = 'user@domain.com';
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l
where
actor_email = 'user@domain.com';

Get all the activities performed on a particular resource

This query allows you to monitor and track all the activities carried out on a specific resource. It is beneficial for auditing purposes, such as identifying unauthorized changes or understanding user behavior.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l
where
resource ->> 'id' = 'abcd13dcd91e9755b20ea5883fdd59ac';
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l
where
json_extract(resource, '$.id') = 'abcd13dcd91e9755b20ea5883fdd59ac';

Get all the activities performed on DNS records

Explore the actions performed on DNS records to gain insights into user activity and monitor changes. This can help in identifying unusual behavior or unauthorized modifications, enhancing the security and integrity of your DNS records.

select
actor_email,
actor_type,
l.when,
action ->> 'type' as action_type,
action ->> 'result' as action_result,
jsonb_pretty(new_value_json) as new_value,
jsonb_pretty(old_value_json) as old_value,
owner_id
from
cloudflare_user_audit_log l
where
resource ->> 'type' = 'DNS_record';
select
actor_email,
actor_type,
l.when,
json_extract(action, '$.type') as action_type,
json_extract(action, '$.result') as action_result,
new_value_json as new_value,
old_value_json as old_value,
owner_id
from
cloudflare_user_audit_log l
where
json_extract(resource, '$.type') = 'DNS_record';

Schema for cloudflare_user_audit_log

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
actionjsonbThe action that was taken.
actor_emailtext=Email of the actor.
actor_idtextUnique identifier of the actor in Cloudflare’s system.
actor_iptext=Physical network address of the actor.
actor_typetextType of user that started the audit trail.
idtext=Unique identifier of an audit log.
metadatajsonbAdditional audit log-specific information. Metadata is organized in key:value pairs. Key and Value formats can vary by ResourceType.
new_valuetextContains the new value for the audited item.
new_value_jsonjsonbContains the new value for the audited item in JSON format.
old_valuetextContains the old value for the audited item.
old_value_jsonjsonbContains the old value for the audited item in JSON format.
owner_idtextThe identifier of the user that was acting or was acted on behalf of. If a user did the action themselves, this value will be the same as the ActorID.
resourcejsonbTarget resource the action was performed on.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
user_idtext=, !=, ~~, ~~*, !~~, !~~*ID of the current user.
whentimestamp with time zone>, >=, <, <=, =When the change happened.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- cloudflare

You can pass the configuration to the command with the --config argument:

steampipe_export_cloudflare --config '<your_config>' cloudflare_user_audit_log