Cloudflare Zero Trust の DLP とは
以前、こちらの記事にまとめた内容があるので、参照ください。
DLP Forensic Copy
2024年11月1日に、新しく DLP Forensic Copy が取得できるようになりました。
パターンマッチングによる部分的なロギングではなく、リクエスト丸ごとを対象にしてログとして記録できることで、何かあったときのセキュリティ上の調査に役立てられます。
Send entire HTTP requests to a Logpush destination
In addition to logging the payload from HTTP requests that matched a DLP policy in Cloudflare Logs, Enterprise users can now configure a Logpush job to send the entire HTTP request that triggered a DLP match to a storage destination. This allows long-term storage of full requests for use in forensic investigation.
HTTP POST テスト
HTTPS Post - DLP Test を使って、以下のようなセットアップでテストします。
ログ
以下のようなログが出力されます。
dlp_forensic_copies.json
{
"AccountID": "xx",
"Datetime": "2024-12-16T15:53:53Z",
"ForensicCopyID": "f5d7a6aaa12f41dda029e6f903bb2ab7",
"GatewayRequestID": "2471c6212f0000fd4aa64d5400000001",
"Headers": {
"content-type": "multipart/form-data; boundary=----WebKitFormBoundary7zFbehQbTITWJA9M"
},
"Payload": "LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmcm1fYWN0aW9uIg0KDQpjcmVhdGUNCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeTd6RmJlaFFiVElUV0pBOU0NCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iZm9ybV9pZCINCg0KMg0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmcm1faGlkZV9maWVsZHNfMiINCg0KDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnk3ekZiZWhRYlRJVFdKQTlNDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZvcm1fa2V5Ig0KDQpuZHFvag0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJpdGVtX21ldGFbMF0iDQoNCg0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmcm1fc3VibWl0X2VudHJ5XzIiDQoNCjJmMWVjOTBiZDQNCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeTd6RmJlaFFiVElUV0pBOU0NCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iX3dwX2h0dHBfcmVmZXJlciINCg0KL2h0dHBzLXBvc3QvDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnk3ekZiZWhRYlRJVFdKQTlNDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Iml0ZW1fbWV0YVs2XSINCg0K44GK44Gv44KI44GG44GU44GW44GE44G+44GZ44CB44GT44KT44Gr44Gh44Gv44CB44GT44KT44Gw44KT44GvDQrjgojjgo3jgZfjgY/jgYrpoZjjgYTjgZfjgb7jgZnjgIINCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeTd6RmJlaFFiVElUV0pBOU0NCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iaXRlbV9rZXkiDQoNCg0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmcm1fXzY1M2Q1YjAzMjY0YjAiDQoNCg0KLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5N3pGYmVoUWJUSVRXSkE5TQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmcm1fc3RhdGUiDQoNCkl4d092L0taUThoelkxcmd0Mi9rUGQveWpJWlRSYnk1OVhidStoOW1tQkE9DQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnk3ekZiZWhRYlRJVFdKQTlNLS0NCg==",
"Phase": "request",
"TriggeredRuleID": "7a8e0617-0153-420b-b87c-f9a58f5474ad"
}
Payload デコード
Payload を確認するには base64 デコードする必要があります。
Payload
Type: string
Captured request/response data, base64-encoded.
base64 -D でデコードすることで、POST した全ての文字列がログから確認できました。
% cat dlp_forensic_copies.json | jq -r .Payload | base64 -D
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="frm_action"
create
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="form_id"
2
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="frm_hide_fields_2"
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="form_key"
ndqoj
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="item_meta[0]"
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="frm_submit_entry_2"
2f1ec90bd4
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="_wp_http_referer"
/https-post/
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="item_meta[6]"
おはようございます、こんにちは、こんばんは
よろしくお願いします。
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="item_key"
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="frm__653d5b03264b0"
------WebKitFormBoundary7zFbehQbTITWJA9M
Content-Disposition: form-data; name="frm_state"
IxwOv/KZQ8hzY1rgt2/kPd/yjIZTRby59Xbu+h9mmBA=
------WebKitFormBoundary7zFbehQbTITWJA9M--
PDF アップロードテスト
HTTPS Post - DLP Test を使って、以下のようなPDF アップロードをテストします。
ログ
以下のようなログが出力されます。
dlp_forensic_copies_2.json
{
"AccountID": "xxx",
"Datetime": "2024-12-16T16:11:10Z",
"ForensicCopyID": "925a21f813be4b209d7ea18d26646229",
"GatewayRequestID": "2471d5f76d0000fd4aa886e400000001",
"Headers": {
"content-type": "multipart/form-data; boundary=----WebKitFormBoundaryaQM7tBA1Sdw8Dejt"
},
"Payload": "LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5YVFNN3RCQTFTZHc4RGVqdA0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJhY3Rpb24iDQoNCmZybV9zdWJtaXRfZHJvcHpvbmUNCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWFRTTd0QkExU2R3OERlanQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iZmllbGRfaWQiDQoNCjIxDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlhUU03dEJBMVNkdzhEZWp0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZvcm1faWQiDQoNCjExDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlhUU03dEJBMVNkdzhEZWp0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9Im5vbmNlIg0KDQo3NDcxYWU1MjBlDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlhUU03dEJBMVNkdzhEZWp0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUyMVswXSI7IGZpbGVuYW1lPSJkbHB0ZXN0LnBkZiINCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24vcGRmDQoNCiVQREYtMS40CiXT6+nhCjEgMCBvYmoKPDwvVGl0bGUgKGRscHRlc3QpCi9Qcm9kdWNlciAoU2tpYS9QREYgbTEyNiBHb29nbGUgRG9jcyBSZW5kZXJlcik+PgplbmRvYmoKMyAwIG9iago8PC9jYSAxCi9CTSAvTm9ybWFsPj4KZW5kb2JqCjUgMCBvYmoKPDwvRmlsdGVyIC9GbGF0ZURlY29kZQovTGVuZ3RoIDQyNj4+IHN0cmVhbQp4nLWW34rVQAzG7+cp5gU2m2RmkgmIsIdzutdK30DdBcEL1/cH01PWAyL2E7Ut/ZO2vyaTSb5K5VzvJHceWj98KV8L+bhaX49plLqt7x/rfvLyXO4fW33+Vrb7U6wKD6svn8pTefcTwXXbksFXUzL2kxvjtJb7pVfpZNvidX0qcvNLSIZG9PzKulHuRMk4L/PBj/VNt/PD27p+Lpf196S0iofN9OkQuSwQUmNHzkOiy4SIXUl0BhsQtkHEoeStNyTqS4eIZhuo9Q4QMR89qEUfTYCoMR+j0fCuEseZ4Qs2fdgoWhuBhB1XZIK6dDbdqmG/c8KmgTShxhP7WAOnfyM1cWRIFEQOJ/PhE8jbcsKQLoRVlC2CEWcn78bHYb9WvfxxupSDnJ3bP8uWqqSZ5bgPoMnSZsRZEgpUBGPEISgR9dEG9TkVyf6PDv0LwZlGo1vS/qfuoC09X4seKpBKnMGRz9cyQmBOXxwiNieeMZGefsa0sY9sl4jqgPJtTJLd4XgU23zAiD5AIqw6M0jBPwwwL8JM2V/1mAjr2PYftIvS3+hY3MrvO04EFHgKZW5kc3RyZWFtCmVuZG9iagoyIDAgb2JqCjw8L1R5cGUgL1BhZ2UKL1Jlc291cmNlcyA8PC9Qcm9jU2V0IFsvUERGIC9UZXh0IC9JbWFnZUIgL0ltYWdlQyAvSW1hZ2VJXQovRXh0R1N0YXRlIDw8L0czIDMgMCBSPj4KL0ZvbnQgPDwvRjQgNCAwIFI+Pj4+Ci9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Db250ZW50cyA1IDAgUgovU3RydWN0UGFyZW50cyAwCi9QYXJlbnQgNiAwIFI+PgplbmRvYmoKNiAwIG9iago8PC9UeXBlIC9QYWdlcwovQ291bnQgMQovS2lkcyBbMiAwIFJdPj4KZW5kb2JqCjcgMCBvYmoKPDwvVHlwZSAvQ2F0YWxvZwovUGFnZXMgNiAwIFIKL1ZpZXdlclByZWZlcmVuY2VzIDw8L1R5cGUgL1ZpZXdlclByZWZlcmVuY2VzCi9EaXNwbGF5RG9jVGl0bGUgdHJ1ZT4+Pj4KZW5kb2JqCjggMCBvYmoKPDwvTGVuZ3RoMSAyMjM0MjgKL0ZpbHRlciAvRmxhdGVEZWNvZGUKL0xlbmd0aCA1MjEwPj4gc3RyZWFtCnic7dt5cBxXnQfwX/f0MX3M0TPTPSPNSBpprBkdI3ssaTTyGfnQyHbs2M7EwabYJCJ27Bw+yjHZZItlIcUR2MrCBnYT/mJ3i8rmKlCCAyYpjg0sRSBsIFxbIYlZc4aFbAwhsBhW+3utlizJRxxjSFF8P9+aN29a3e+9PudJVSKJiFJcKDSyelVj9C9LQ6NEoSd46UfG1o7W179h/U4itcyfvzq2ZXODXDKJpI382R5rbFv94pdeuJc3fjN/ntjcWNT/gaf1PUTyAv581dV7xw+858drP8Wf386fP3z1TYfy9D06yu13ic/XHNi996H1T+4gCr/E61y/e/zGA5QmjdvfLtrffcMt1zReXvVXRNZVRO7Le3aN7/ze7qNv45//lH8+tIcXSM9d9jH+/GH+vGDP3kM3dy5UbyJ6fDlJmz9/w/6rx52Pp58mauf2/vX7e8dvPrD9ylCG1+d9ovy+8b270o9vihPpb+Bldx3Yf+OhyZ9TkutivPkDB3cd+NLBwZ/w/v+Wl111k9/fNpfrXxT93ST6uzt0guQmEv2ROJamH0GmDEmTkxQSyxvHpR/TJn+55Jd5ccilRX495Jc0+T+i79MQWzwz+cxUZfIHNBm0MaNxfGodWjDdvHSyp7nrqERb71y+58rY8l9SdmqFz376R+J802P/cOSFyf+afJbb576oifeAgvFdL72PtwzTWzlEbwjen6EIrQ5LsqWRLqthWRErh0Mn+1y8qrGGRirSXdunxi9GOCLTh45+m+s30kf84yD7I/WPEtl8UO7i9w5erpBckStrK/XKhsrmymWV11V2VMYr11cOVN5Sua1ye+X9d23no0sVaWadRuXyYJ39s9fxPuG978z5p0vnH80znoPzkaQUlym+b4g8vrqJX3wFUpwcLh1K+Hsd4TJKMS51PspEhn8NTZWzWhD7yyzeIqjPLv0xruPtl/Kx066+5eANVNx9cNf1VNwzvu9aKl4/vm+cijeMH9pHxRtv2ftGKvL6fLfRTr+UxHV17c5d+/n8Tm8/7G8/fMr2w/72w7xdxu9Z5isvzC0s4P3S/D2davE7/JJ5tGF/bBJfA7Lo4eD+vfuC8Zo82kso5PdQ9nvI+z2kSAn2TOKcrE+Rb9p18BBFp8qgJbHW1HuY+yxTsnFH4/2Nuxv3NB5oPNh4uPHxxpHGJxuPNh5rPNH4auNrjaON5xs/a7zI6yfrR+qfrH+j/q360/Wj9e/Vv1//Yf1H9efrx+sn6pNjNBYdy4y1jBWCKzQYgbiDRW/D9w3fR5Jogctv1L/B5bfq3+Ly6frTXB6tH+WS2+SSW+Xy+frzXB6v8/3I7Z/gkvsgiXuJcpkZ46cG99bCZUH0KfaCy7sbd3N5T+MeLh9oPMDlg40HueT94pL3jMtHG49y+VjjMS6faDzBJe8nl0cbPAbeW+6X9/hnXL7o7/fFR2hk63Yuna3bj0iT75ig27P+u3T7juwEvWPHxUckamyfkCakv9vxUHWQeh/qX8zFooVclHu56O7iotjJRaGDi3wbFy056n2EWqmFcqOF0avWPkLtfKzagvoCKlBHUC/xFdgZ1Huom7qCeh+fvd6gXqFFtDCoD1A/LQ7qQ1SlQb/+0JbN3OumjVxsWM/FWJ2LtWu4WDXCxcoVXCxbysVwTQxsCV+2taCR5bSMlgb1i2glrQjqq2kVjQT1UVpLa4L6OhqjelC/mDbQ+qB+CT/aNwb1rbSFNvt1/57+iHiyKQbXr+Nn5lRd4qv7hqAu8zpXBPUQ7185qCuz1lH5LksFdc1/GoTInNWmOatNc1ab5qw2zVltmrPaNGfa3EQNPvJbeBf30yHaQ9fS1XQ57aKD/KS+lpft47NYpYV8Riq8rvjpQV56I7+u4fWX+tvn522/lHsX6w/RpdzSbnoT9z/O251u3S5aw9fA9Pp5fiqN88/GuY1LaT3/bDMf/jy/7+cxlGkj/2wn1/L8fgsd4Nav4XWv5nex/g5eezVvlefXJj6ZY/y+3d96My2coHJ7fnQif9U1+Qm6bHv7xEXZCWl8x661fRNS+QjJo4X6Vev6JmSuh0aH+yZCXAkHCxWuG2KhyhU1WKhxXRMLda5YwcIw122x0OBKOlhocj0jFlpcSQULba67YmGEK83BwijXs2JhjCvRYGGc6zGx0OGKEyxMcD0hFibLE5LnVPsmUmUp/tm+CbdM4s0rS3mnkE/UC/Vt25dk23f0TaTLNH9Rppyvi0MykR/nNpumPu2e+tRczk9keify3EeWq029Rya/y/VcOU9LpCV9Ey3l9r6J1vKDUm507YNyCxehVi6UNi7UPBdaOxd6BxfhAhfGAi7MTi6sIhd2iYtIFxfRbi5iPVzEe7lwylwk+rhILuQitYgLt8KFt5iLdD8XmQEumga5aK5ykR0a5bPYxkOpiaEMi6EsEUNZKoayTAxluRjKCjGUlWIoF4mhjIihrBJDWS2GskYMZa0YyqgYSl0MZUwMZZ0YynoxlA1iKBeLoWwUQ9kkhnKJGMpmMZQtYihbeSjie6J98rf0XXqU7zWd2iZae6URU1ZDqsIfFbWHRkxSQoom6ZIi9dTcgWppwC1U77z/M5+554MfTH5GzALCkz+kX9MXeIMIzxhcvkeG+CpfSa+n2/32irF0PJ1Mp9JeubOl2NIV7Y72lwcb1cZwY0ljRWNlY/3AhoGEw315Ga/Jy3e0d/R6ZW+jt8nb4m31TKlnpBxvdppTUTeaS7QkiolSoitRrQ3VlkSXRpdtWLnhooGRgXUD6wcuG9g24MZ6RpILCp2LK/2y19aaH6uvu3zb60Lpnh7eIO3pml4rlmpeujRQLfDuFMT+6PxyU71SaaB/hdQrVQdq/FEvDVXTvEJVvHhNvZD2ChovrRXECtVgOy+tF0vdZtgxTM1apRkxW6v3soXX5dXOlmhUNpR4LBMqpaLOu4cEK2+GwolmK+s2tyiF8V6tpzmdCDcnQsl2XZHTWTubMJKZXakl7huT2R3ro0llZEf2bwabo5n+5nS8qSuTuTmmxM2kGb8tnUymb4uGk5GImFc0Tf6Y/oKfUyqp4rhT2t/PizPNsbybyTqpZEac76bJn9CV/AyLUVuw3hDvq1boKBWrg7Whgf60Vh0sFQsduubyKRvor11pmrGYafqlrOuGoet+mZtZapodM0t1XfTiTv4fHaOHeTbZMt3LTB/iJARN8xkZEsevttuMRptsXXFtS1FV0wqramqPmbU73azttDjDXd1qSO9s7XacOK9ZX6PXS7box558nv6ZvjK7n9qQGL/unymxO57YPb00ddavSCdNI5obtIrtjuFF49lMd7zRtUQb7jLSyeaEaUghp1kPK9F4aymbsdIfVuymiCK+0dzJF/i3wy/xlT3KX649/pUd7c715BblKrm1udGcJu4Wp6vU3dtTXti3aNno8jWr16pez8wYxO6LMfg7Hhzj2Ye+VtUKJa9WHfB0lw+Mprva9IFaIdX86+xmp8d17JjnWaaWUMK6bRt6NNLiZSzLiVhmIuo2uSE3lwqHvYSabO7QI4qqJ65pT8QzzbtdpyltxyzTso2wbuixeDQSriYtyzJjuUTU6g25Uqhf1kpK2NMUPoKRhKmoudJe141nHL6+nMkX6W/5WCdPHmk+l6VgkGJ4xapjrUomjGhsRFGGOxKFgdhuc0Vb1JS95UpIC5VLie5yxBTXB1+lj/DsI8atNfmt8YMmEosk4sm4Euo5zPNyKd1TCy4Yv4Nlkivu1Y1ttq2kVT46e//x1ltV205ZsVBcNzTdu9fjOYT4TeYofXOqZb7Gp1sXM/24k3RE6yFZEa27hdntD5T4lp46zLpfPrJvpqvuW5OOa3hx1S89b1avf+15q414NG4YfslXSpR/U36Gvs2zgH6ezKX8/h92YomYzF0nEynRteZ3MX2TLZP0WfdfscTXQT9fr3wheOmhi6RZYzrckkt1xzoXtEc0IzpYUIuDbsxKFItaxuju0ha3mopn6Eq40BSOu4YbV/3ydkUu5hJORLP42vfcWDJpJZRWN5SScxlZS6ZD2qARi8Z4D0TJZzo7+Us+O5/mp7k/+odVQzNkvYcOKyFV8no8MdgVkrhOp27j9Hv7FzgR19ANyyt1xfha7HynrL2lybDKSXGXWnyX/pD+g8/GoqnzMWJaSTsZS8aT4jvmsGlY3OzQrGNQ5RvWvxFqru56rriZq8WTjw3/7tkfcQzbthO2tU85mLCMbdsUaTjZ36prqmpZuqapZp9hx+K2HeKG1EWyVtRcpZjwBgrRlvygrpmGquqaYWgq77PGV/dj9DjP2eY8R8Qp8p8kNf+kBF8h/u3Jb9O39iLpDn7+G6nmlJ1LaKqlZ71Qul2Vk7YZUrrSSlebri9o6YhHo94GXXWMqG3y10U6qumFQigV8pr4GzceV1RXDbW2JOLRtBf1JI+vpabJ/+Xn6Kf4u1VczcG1RKquyrNvkppXG3D1Wc/WWlGvDqXvX9QWyRZrXwhZKcs0lX/pHV3XZbc6zZKXHOzsW6nK+tJCqXKHpLu6+AtHC5/1n9O/829Ai2hFcBRq3tR1N/cbYqikV6evz9qcjodmfW8MlY7IcmvOdpssO522zbCdiURkecM6KeRahiQNfVmxPT1sqa83opqq6FE+HNJbi0UrlYzbCcu2zXg0bIc6Cqqr5DyZmw25t+U6ty7mCUnhsmK6j89zWNH1cEz83UiM/gTfdQVazKNfwzPqYA9c/RX3QZs15mKhyPXpfZr61tD98qeDZ92dZTP74BiXq2l/3z6WdEw31pSKm6n4na58tn27dmZv1J28c0qwo1JMXOP5eNi2Inwnxfgq/Tp9mX83rVLL1HeQ+AOM+KNNlnIkvoMOJ5wk30210+xzlXfZf03fWfzS5pyxt3WXrM58xM66EcOMZMPOxo1XXMH31qWXrlqVt1L8tazH7LAhDRlJLx1ujtgRfuqZEalNTsniSi7JWgu/LeCPi8NqWFP1sJHicacmf8H3/+f4d5zp+4uPrDZncP654HHU+G73XC89ewoyVP38wpxkxXIZPgx8i1khNWXocnZxoSQXF95sp8K6qjtx3dSa9WYrZluxWMSWhy6RtXg7X96q1Jo1MrySzqvppvgTKR/Jl/ha/xx1nHK/893Ot3z/RdLUrX5yCnFHkr88m1cscFa1tLfrCwZ027CzzS2JvBOLZzaa4aTlJE2r6oxUVCWthyxDLrSHnVhzczwj+X3ak7+m53mmPNPn9NPlZE9tUjAv8g/OIumA3ZSwrHT3Eo/H3eJEbF2XNTkaMZKWF0mkmtpUfUtrImeP3GTrUtsQ76Fb5B8OW0sSqfZe7vOj9Pf0En9rqzN3tLguPpVPO/nUV9IpJxcTT+gH6N281tfOMiv05s0KX7KsaJQnD6KUwmHTDIf98tGZpZZVmFkaDoteCnyZvkhPnvOs8E1nnBVWzzorHOTvm8dfxazwnec9K2zj+/Fn9MRrOyu89feYFV77+84KV/KdfYS+etZZ4cr5s8LrTj8rrPB33Df5W/jVzwp3z5kVNp0yK6zwrPA3F2RW+M3znBWWeVb4mz/QrPCpP8qscA3/rn+MnjrTrHDolFnhJ+bMCo35s8I436X/fcFnhYcu6KywjWcV3+Exnues8P5znxWar2JW2Eph+hE/dc5rVjhxmllh9myzwkmeFT752s4K34NZ4dlmha28l8f4GfyHmhW+7xxnhcte5aywMPk7epa/p897Vvj1c5sVxs95VtjFv289R198NbPC+88+K4y84qzQ4aPwAs/pX8Ws8E2vPCvcdpZZodCOIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAiCIAjyGuQHCIIgCIIgCIIgCIIgCIIgCIIgCIL8WeTXUu955UrOB6YiuzNZFmSPfK98b8gM9XPePi9PnhpFDbJT+faZow6cJm+eycdn5UUEQRAEQRAEQRAEQRAEQRAEQZA/pWghbeicch3nQ1PR8zOpB7lRP6wfDrvhFZz3zsnTp8aIB9lvHDtzzJWnybuC/JufExJROwEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8GZCIwq/1GAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOACuY+a/Ncfy8/J9d8fJvu0y2e7k5w5n5/gdX4QrHeMovR5yvr1l8k6a5/PknZOYzs+9zhIRC3idU7bzvd9ip3Tes9S6pRl/3mGbV+ed8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADggpGIPsqvBy5ge4XgfXDe8rbTrLty3ueKeAX1Mr/WBPX4Wfo7pd0zrNc67/N5/w/N/LbOsl5h3ueuWXWHX+3n0z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAnxqJyHutxwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXhkR0mF8P/NE6fIpKQb+xOctPUOKUdX81b53naCG9THqwvUo/pdagHj1rnycoeU5jO0Ztcz7/gtL0O+7nfJwg55zWe5mazmmZcBz/4wkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAHcx/F+GVdsPaeooh4O83/0cRPWfdXZM/5/Bw1z/s/GjOon/n/aE68wv/YTDs2r/9f8DjP/39o7FdeicT/y8TmfU7N1I+T8/+US5GRCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PC9UeXBlIC9Gb250RGVzY3JpcHRvcgovRm9udE5hbWUgL0FBQUFBQStNUy1QR290aGljCi9GbGFncyA0Ci9Bc2NlbnQgODU5LjM3NQovRGVzY2VudCAtMTQwLjYyNQovU3RlbVYgMzY3LjE4NzUKL0NhcEhlaWdodCA2NzkuNjg3NQovSXRhbGljQW5nbGUgMAovRm9udEJCb3ggWy0xMjEuMDkzNzUgLTEzNi43MTg3NSA5OTYuMDkzNzUgODU5LjM3NV0KL0ZvbnRGaWxlMiA4IDAgUj4+CmVuZG9iagoxMCAwIG9iago8PC9UeXBlIC9Gb250Ci9Gb250RGVzY3JpcHRvciA5IDAgUgovQmFzZUZvbnQgL0FBQUFBQStNUy1QR290aGljCi9TdWJ0eXBlIC9DSURGb250VHlwZTIKL0NJRFRvR0lETWFwIC9JZGVudGl0eQovQ0lEU3lzdGVtSW5mbyA8PC9SZWdpc3RyeSAoQWRvYmUpCi9PcmRlcmluZyAoSWRlbnRpdHkpCi9TdXBwbGVtZW50IDA+PgovVyBbMTgxMDQgMTgxMDUgNjY0LjA2MjUgMTgxMzIgWzk0NS4zMTI1IDAgNzA3LjAzMTI1IDAgMCAwIDk0NS4zMTI1XSAxODE0MyBbNTg5Ljg0Mzc1IDAgMCAwIDc5Ni44NzUgODk0LjUzMTI1IDAgODgyLjgxMjUgNzY1LjYyNSAwIDk2MC45Mzc1XSAxODE2MSBbODYzLjI4MTI1XSAxODE3MSBbOTQxLjQwNjI1XSAxODE5MCBbODkwLjYyNV0gMTgyMDAgWzg2My4yODEyNV0gMTgyMDUgWzg0My43NV0gMTgyMTEgWzk2MC45Mzc1XV0KL0RXIDEwMDA+PgplbmRvYmoKMTEgMCBvYmoKPDwvRmlsdGVyIC9GbGF0ZURlY29kZQovTGVuZ3RoIDMzND4+IHN0cmVhbQp4nF2Sz26DMAzG73mKHLtDBTSUgoSQaAGJw/5obA9AE9MhjRAFeuDtF2zWSYsE0c/OZ9n54l3qotb9zL03O8oGZt71WlmYxruVwK9w6zULDlz1ct4I/3JoDfOcuFmmGYZadyNLU869d5edZrvwXa7GKzwx79UqsL2+8d3npXHc3I35hgH0zH2WZVxB5yo9t+alHYB7KNvXyuX7edk7zd+Jj8UAPyAH1I0cFUymlWBbfQOW+m5lPK3cyhho9S8fhCS7dvKrtSwVcZ6740l8jDOWhlEROhJ+GBJFRBFRTpQTVUQVUpkgHROkKkCKAqIz0ZmIdBHqTtis8E8+UUlUIgUxUhwTFUQF0kEgJQKH3KYRv7NtdxFG57WE26g7n/opBQZLGvUoKBhR8ETBaKtLldZ7XP1+mCTv1jp/8FGgMaslvYbHuzGjWVXr9wOJEaq5CmVuZHN0cmVhbQplbmRvYmoKNCAwIG9iago8PC9UeXBlIC9Gb250Ci9TdWJ0eXBlIC9UeXBlMAovQmFzZUZvbnQgL0FBQUFBQStNUy1QR290aGljCi9FbmNvZGluZyAvSWRlbnRpdHktSAovRGVzY2VuZGFudEZvbnRzIFsxMCAwIFJdCi9Ub1VuaWNvZGUgMTEgMCBSPj4KZW5kb2JqCnhyZWYKMCAxMgowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAwMTUgMDAwMDAgbiAKMDAwMDAwMDYzMSAwMDAwMCBuIAowMDAwMDAwMDk4IDAwMDAwIG4gCjAwMDAwMDc0MDAgMDAwMDAgbiAKMDAwMDAwMDEzNSAwMDAwMCBuIAowMDAwMDAwODM5IDAwMDAwIG4gCjAwMDAwMDA4OTQgMDAwMDAgbiAKMDAwMDAwMTAxMSAwMDAwMCBuIAowMDAwMDA2MzA4IDAwMDAwIG4gCjAwMDAwMDY1NDEgMDAwMDAgbiAKMDAwMDAwNjk5NSAwMDAwMCBuIAp0cmFpbGVyCjw8L1NpemUgMTIKL1Jvb3QgNyAwIFIKL0luZm8gMSAwIFI+PgpzdGFydHhyZWYKNzU0MgolJUVPRgoNCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWFRTTd0QkExU2R3OERlanQtLQ0K",
"Phase": "request",
"TriggeredRuleID": "7a8e0617-0153-420b-b87c-f9a58f5474ad"
}
Payload デコード
オンラインで Base64 から PDF に変換できるサイトはいくつかあります。
ローカルでデコードしたい場合は、以下のように base64 から PDF ファイルに変換する Javascript を作成します。
base64_to_pdf.js
#!/usr/bin/env node
var stdin = process.openStdin();
var data = "";
stdin.on('data', function(chunk) {
data += chunk;
});
stdin.on('end', function() {
console.log("DATA:\n" + data + "\nEND DATA");
var bin = atob(data);
const fs = require('fs');
fs.writeFile('dlp_forensic_copies.pdf', bin, 'binary', error => {
if (error) {
throw error;
} else {
console.log('dlp_forensic_copies.pdf saved!');
}
});
});
その後、以下のコマンドでログの Payload から元の PDF ファイルに変換できます。
cat dlp_forensic_copies_2.json | jq -r .Payload | ./base64_to_pdf.js
open dlp_forensic_copies.pdf
まとめ
Cloudflare Zero Trust の DLP を使うことで、企業の中で従業員が使うデータのやり取りをログ保管できることを確認できました。
HTTP リクエストの属性データやマッチングによる部分的な把握だけでなく、使ったデータやファイルをそのままの形でログに残せるため、将来の調査や監査要件を満たすことができます。
すべての証跡を残したい要件では、このように Enterprise Plan の DLP Forensic Copy を活用できることがわかります。
ただし、こういった添付ファイルに相当するデータがすべて保管されていくことを考えると、通常のログに比べて大きな容量を確保する必要があるでしょう。