Analytics Release Notes

We are updating naming related to some of our Networking products to better clarify their place in the Zero Trust and Secure Access Service Edge (SASE) journey.
We are retiring some older brand names in favor of names that describe exactly what the products do within your network. We are doing this to help customers build better, clearer mental models for comprehensive SASE architecture delivered on Cloudflare.

What’s changing

• Magic WAN -> Cloudflare WAN
• Magic WAN IPsec -> Cloudflare IPsec
• Magic WAN GRE -> Cloudflare GRE
• Magic WAN Connector -> Cloudflare One Appliance
• Magic Firewall -> Cloudflare Network Firewall
• Magic Network Monitoring -> Network Flow
• Magic Cloud Networking -> Cloudflare One Multi-cloud Networking

No action is required by you; all functionality, existing configurations, and billing will remain exactly the same.

For more information, visit the
Cloudflare One documentation.

Radar now includes content type insights

Radar now includes content type insights for AI bot and crawler traffic. The new content_type dimension and filter shows the distribution of content types returned to AI crawlers, grouped by MIME type category.

The content type dimension and filter are available via the following API endpoints

• /ai/bots/summary/content_type
• /ai/bots/timeseries_groups/content_type

Content type categories

• HTML - Web pages (text/html)
• Images - All image formats (image/*)
• JSON - JSON data and API responses (application/json, *+json)
• JavaScript - Scripts (application/javascript, text/javascript)
• CSS - Stylesheets (text/css)
• Plain Text - Unformatted text (text/plain)
• Fonts - Web fonts (font/, application/font-)
• XML - XML documents and feeds (text/xml, application/xml, application/rss+xml, application/atom+xml)
• YAML - Configuration files (text/yaml, application/yaml)
• Video - Video content and streaming (video/*, application/ogg, *mpegurl)
• Audio - Audio content (audio/*)
• Markdown - Markdown documents (text/markdown)
• Documents - PDFs, Office documents, ePub, CSV (application/pdf, application/msword, text/csv)
• Binary - Executables, archives, WebAssembly (application/octet-stream, application/zip, application/wasm)
• Serialization - Binary API formats (application/protobuf, application/grpc, application/msgpack)
• Other - All other content types

Additionally, individual bot information pages ↗ now display content type distribution for AI crawlers that exist in both the Verified Bots and AI Bots datasets.

Check out the AI Insights page ↗ to explore the data.

What’s new

• Configurable match thresholds: Users can set a minimum match score (starting at 75%) when creating a logo query to capture subtle variations or high-quality impersonations.
• Visual match scores: Allow users to see the exact percentage of the match directly in the results table, highlighted with color-coded lozenges to indicate severity.
• Direct logo previews: Available in the Cloudflare dashboard — similar to string matches — to verify infringements at a glance.

Key benefits

• Expose sophisticated impersonators who use slightly altered logos to bypass basic detection filters.
• Faster triage of the most relevant threats immediately using visual indicators, reducing the time spent manually reviewing matches.

Ready to protect your visual identity? Learn more in our Brand Protection documentation.

Identifying threat actors can be challenging, because naming conventions often vary across the security industry. To simplify your research, Cloudflare Threat Events now include an Also known as field, providing a list of common aliases and industry-standard names for the groups we track.

This new field is available in both the Cloudflare dashboard and via the API. In the dashboard, you can view these aliases by expanding the event details side panel (under the Attacker field) or by adding it as a column in your configurable table view.

Key benefits

• Easily map Cloudflare-tracked actors to the naming conventions used by other vendors without manual cross-referencing.
• Quickly identify if a detected threat actor matches a group your team is already monitoring via other intelligence feeds.

For more information on how to access this data, refer to the Threat Events API documentation 1.

Network Services dashboard update

The Network Services menu structure in Cloudflare's dashboard has been updated to reflect solutions and capabilities instead of product names. This will make it easier for you to find what you need and better reflects how our services work together.

Your existing configurations will remain the same, and you will have access to all of the same features and functionality.

The changes visible in your dashboard may vary based on the products you use. Overall, changes relate to Magic Transit, Magic WAN, and Magic Firewall.

Summary of changes

• A new Overview page provides access to the most common tasks across Magic Transit and Magic WAN.
• Product names have been removed from top-level navigation.
• Magic Transit and Magic WAN configuration is now organized under Routes and Connectors. For example, you will find IP Prefixes under Routes, and your GRE/IPsec Tunnels under Connectors.
• Magic Firewall policies are now called Firewall Policies.
• Magic WAN Connectors and Connector On-Ramps are now referenced in the dashboard as Appliances and Appliance profiles. They can be found under Connectors > Appliances.
• Network analytics, network health, and real-time analytics are now available under Insights.
• Packet Captures are found under Insights > Diagnostics.
• You can manage your Sites from Insights > Network health.
• You can find Magic Network Monitoring under Insights > Network flow.

If you would like to provide feedback, complete this form. You can also find these details in the January 7, 2026 email titled [FYI] Upcoming Network Services Dashboard Navigation Update.

We have expanded the reporting capabilities of the Cloudflare URL Scanner. In addition to existing JSON and HAR exports, users can now generate and download a PDF report directly from the Cloudflare dashboard. This update streamlines how security analysts can share findings with stakeholders who may not have access to the Cloudflare dashboard or specialized tools to parse JSON and HAR files.

Key Benefits

• Consolidate scan results, including screenshots, security signatures, and metadata, into a single, portable document
• Easily share professional-grade summaries with non-technical stakeholders or legal teams for faster incident response

What’s new

• PDF Export Button: A new download option is available in the URL Scanner results page within the Cloudflare dashboard
• Unified Documentation: Access all scan details—from high-level summaries to specific security flags—in one offline-friendly file

To get started with the URL Scanner and explore our reporting capabilities, visit the URL Scanner API documentation ↗.

We are excited to announce that Cloudflare Threat Events now supports the STIX2 (Structured Threat Information Expression) format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence.

By adopting this industry-standard format, you can now integrate Cloudflare's threat events data more effectively into your existing security ecosystem.

Key benefits

• Eliminate the need for custom parsers, as STIX2 allows for "out of the box" ingestion into major Threat Intel Platforms (TIPs), SIEMs, and SOAR tools.
• STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape.

For technical details on how to query events using this format, please refer to our Threat Events API Documentation ↗.

You can now use the HAVING clause and LIKE pattern matching operators in Workers Analytics Engine

Workers Analytics Engine allows you to ingest and store high-cardinality data at scale and query your data through a simple SQL API.

Filtering using HAVING

The HAVING clause complements the WHERE clause by enabling you to filter groups based on aggregate values. While WHERE filters rows before aggregation, HAVING filters groups after aggregation is complete.

You can use HAVING to filter groups where the average exceeds a threshold:

SELECT
  blob1 AS probe_name,
  avg(double1) AS average_temp
FROM temperature_readings
GROUP BY probe_name
HAVING average_temp > 10

You can also filter groups based on aggregates such as the number of items in the group:

SELECT
  blob1 AS probe_name,
  count() AS num_readings
FROM temperature_readings
GROUP BY probe_name
HAVING num_readings > 100

Pattern matching using LIKE

The new pattern matching operators enable you to search for strings that match specific patterns using wildcard characters:

• LIKE - case-sensitive pattern matching
• NOT LIKE - case-sensitive pattern exclusion
• ILIKE - case-insensitive pattern matching
• NOT ILIKE - case-insensitive pattern exclusion

Pattern matching supports two wildcard characters: % (matches zero or more characters) and _ (matches exactly one character).

You can match strings starting with a prefix:

SELECT
  *
FROM logs
WHERE blob1 LIKE 'error%'

You can also match file extensions (case-insensitive):

SELECT
  *
FROM requests
WHERE blob2 ILIKE '%.jpg'

Another example is excluding strings containing specific text:

SELECT
  *
FROM events
WHERE blob3 NOT ILIKE '%debug%'

Ready to get started?

Learn more about the HAVING clause or pattern matching operators in the Workers Analytics Engine SQL reference documentation.

Radar introduces HTTP Origins insights

providing visibility into the status of traffic between Cloudflare's global network and cloud-based origin infrastructure.

The new Origins API provides provides the following endpoints:

• /origins - Lists all origins (cloud providers and associated regions).
• /origins/{origin} - Retrieves information about a specific origin (cloud provider).
• /origins/timeseries - Retrieves normalized time series data for a specific origin, including the following metrics:
  • REQUESTS: Number of requests
  • CONNECTION_FAILURES: Number of connection failures
  • RESPONSE_HEADER_RECEIVE_DURATION: Duration of the response header receive
  • TCP_HANDSHAKE_DURATION: Duration of the TCP handshake
  • TCP_RTT: TCP round trip time
  • TLS_HANDSHAKE_DURATION: Duration of the TLS handshake
• /origins/summary - Retrieves HTTP requests to origins summarized by a dimension.
• /origins/timeseries_groups - Retrieves timeseries data for HTTP requests to origins grouped by a dimension.

The following dimensions are available for the summary and timeseries_groups endpoints:

• region: Origin region
• success_rate: Success rate of requests (2XX versus 5XX response codes)
• percentile: Percentiles of metrics listed above

Additionally, the Annotations and Traffic Anomalies APIs have been extended to support origin outages and anomalies, enabling automated detection and alerting for origin infrastructure issues.

Check out the new Radar page ↗.