SourcesSource TypesCloudflareAccess Requests

Cloudflare Access Requests

Cloudflare Access Requests logs capture authentication and authorization events from Cloudflare Zero Trust Access. These logs provide visibility into user login attempts, application access patterns, and policy enforcement decisions across your organization’s applications and resources.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_cf_access_requests
⚠️

SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.

Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883.

Setup

Setting up Cloudflare Access Request logs requires the use of Cloudflare Logpush.

Navigate to the Logpush setup page in your Cloudflare account and create a new logpush job that sends your access request logs to your storage bucket.

Once created Cloudflare will begin to push logs to your bucket and RunReveal will start to ingest them.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: cf_access_requests_logs (15 columns)

ColumnType
ActionString
AllowedBool
AppDomainString
AppUUIDString
ConnectionString
CountryString
PurposeJustificationPromptString
PurposeJustificationResponseString
RayIDString
TemporaryAccessApproversArrayRaw
TemporaryAccessDurationInt
CreatedAtUnknown
EmailUnknown
IPAddressUnknown
UserUIDUnknown
HTTPConductorOne