Why Raw Logs Alone Are Not Enough
In modern cybersecurity, a single alert is rarely the full story. Attackers don't just knock on the front door — they probe APIs, flood networks with noise, and attempt to slide through applications using stolen credentials. To stop these multi-vector attacks, you need the full picture.
Cloudflare Log Explorer now integrates 14 new datasets covering the entire surface of Cloudflare's Application Services and Cloudflare One portfolios. This gives security analysts the ability to correlate telemetry from application-layer HTTP requests, network-layer DDoS and Firewall logs, and Zero Trust Access events — significantly reducing Mean Time to Detect (MTTD) and unmasking sophisticated, multi-layered attacks.
Reference: This analysis is based on the official Cloudflare blog post on investigating multi-vector attacks in Log Explorer. See the original source for the full announcement and dataset details.
The Flight Recorder for Your Entire Stack
Think of Log Explorer as a centralized flight recorder. Every interaction — every HTTP request, DNS query, firewall block, and Zero Trust authentication — is captured at Cloudflare's edge before it even reaches your infrastructure.
Key Datasets for Security Forensics
| Focus Area | Dataset | What It Reveals |
|---|---|---|
| Application Layer | HTTP Requests | Primary record of all app-layer traffic: session activity, exploit attempts, bot patterns |
| Firewall Events | Blocked/challenged threats, WAF rules, IP reputation hits | |
| DNS Logs | Cache poisoning, domain hijacking, infrastructure reconnaissance | |
| Network Layer | Network Analytics | Volumetric DDoS attacks, traffic spikes at packet level |
| Magic IDS Detections | Signature-based alerts for known exploit patterns (Nmap scans, SYN stealth scans) | |
| Spectrum Events | L4 traffic anomalies for non-web apps (SSH, RDP, gaming) | |
| Zero Trust & Internal | Access Requests | Identity-based authentication events — who accessed which internal app |
| Gateway DNS/HTTP/Network | Shadow IT, malware callbacks, lateral movement, protocol anomalies | |
| Audit Logs | Configuration changes in Cloudflare dashboard | |
| Email & Endpoint | Email Security Alerts | Phishing attempts, malicious email activity at the gateway |
| Device Posture Results | Security health of connecting devices | |
| Browser Isolation Logs | User actions inside isolated sessions (copy-paste, file uploads) |
Practical Query: Identify Reconnaissance
Attackers use scanners to find entry points. Use this SQL query to detect suspicious probing:
SELECT ClientIP, COUNT(*) AS request_count, ARRAY_AGG(DISTINCT EdgeResponseStatus) AS status_codes
FROM http_requests
WHERE date = '2026-02-22'
AND EdgeResponseStatus IN (401, 403, 404)
GROUP BY ClientIP
HAVING request_count > 50
ORDER BY request_count DESC
Then pivot to magic_ids_detections for network-layer scanning signatures:
SELECT SourceIP, SignatureMessage, COUNT(DISTINCT DestinationPort) AS ports_scanned
FROM magic_ids_detections
WHERE date = '2026-02-22'
AND SourceIP = 'INSERT_SUSPICIOUS_IP'
GROUP BY SourceIP, SignatureMessage
Correlating Across Datasets: Real Attack Scenarios
The real power of Log Explorer comes from cross-dataset correlation. Here are three common attack chains and how to investigate them.
Scenario 1: Session Hijacking (Token Theft)
A user authenticates via Cloudflare Access, but their subsequent HTTP traffic looks like a bot.
Step 1: Identify high-risk sessions in http_requests:
SELECT RayID, ClientIP, ClientRequestUserAgent, BotScore
FROM http_requests
WHERE date = '2026-02-22'
AND BotScore < 20
LIMIT 100
Step 2: Copy the RayID and search access_requests to see which user account is associated:
SELECT Email, IPAddress, Allowed
FROM access_requests
WHERE date = '2026-02-22'
AND RayID = 'INSERT_RAY_ID_HERE'
Scenario 2: Post-Phishing C2 Beaconing
An employee clicked a phishing link, and their workstation now queries a known malicious domain.
Step 1: Find phishing emails:
SELECT Timestamp, ThreatCategories, To, AlertReason
FROM email_security_alerts
WHERE date = '2026-02-22'
AND ThreatCategories LIKE 'phishing'
Step 2: Correlate the user's email to their IP via Access logs:
SELECT Email, IPAddress
FROM access_requests
WHERE date = '2026-02-22'
Step 3: Find internal IPs querying the malicious domain in gateway_dns:
SELECT SrcIP, QueryName, DstIP
FROM gateway_dns
WHERE date = '2026-02-22'
AND SrcIP = 'INSERT_IP_FROM_PREVIOUS_QUERY'
AND QueryName LIKE '%malicious_domain_name%'
Scenario 3: Lateral Movement (Access → Network Probing)
A user logs in via Zero Trust and then tries to scan the internal network.
Step 1: Find successful logins from unexpected locations:
SELECT IPAddress, Email, Country
FROM access_requests
WHERE date = '2026-02-22'
AND Allowed = true
AND Country != 'US' -- Replace with your HQ country
Step 2: Check if that IP triggers network-level signatures:
SELECT SignatureMessage, DestinationIP, Protocol
FROM magic_ids_detections
WHERE date = '2026-02-22'
AND SourceIP = 'INSERT_IP_ADDRESS_HERE'
Limitations & Caveats
- Ingestion Latency: Even with the 55% P99 improvement, logs are not real-time. There is still a delay of seconds to minutes for data to become queryable.
- Schema Complexity: With 14+ datasets, knowing which fields to query requires familiarity. Cloudflare provides documentation, but expect a learning curve.
- Cost: Log Explorer is a paid add-on. Usage-based pricing may surprise teams running heavy queries across large datasets.
- Third-Party Data: While the architecture supports custom schemas, ingesting non-Cloudflare logs is not yet generally available.
Next Steps
- Start with a single dataset —
http_requestsis the richest. Build a baseline of normal traffic patterns. - Enable the new datasets in your Cloudflare dashboard under Logs > Log Explorer.
- Practice cross-dataset queries using the scenarios above. The Tabs feature lets you run multiple queries simultaneously.
- Automate detection — Cloudflare has announced scheduled queries (coming soon) to run these investigations on a recurring basis.
If you're new to Cloudflare's security ecosystem, check out this related guide on building interactive demos with CodePen slideVars — a different angle on browser-based tooling, but equally practical for security UI prototypes.
And for a broader perspective on native browser APIs that can improve security tooltips, read our insight on the Native Popover API.
Conclusion: From Noise to Narrative
Multi-vector attacks are the new normal. Cloudflare Log Explorer transforms raw telemetry from 14+ datasets into a coherent investigation narrative. By correlating HTTP requests, firewall events, DNS queries, Zero Trust access logs, and email security alerts, analysts can trace the full attack chain — from reconnaissance to exfiltration — in a single pane of glass.
The architectural shift to schema-driven ingestion means this platform is future-proof: ready to accept custom data sources as they become available. For now, start with the built-in datasets, practice the queries above, and turn your log data into a proactive defense weapon.