← POCs

test customer

Cloudflare Zero Trust · owner dror@globaldots.com · status scoping · 50 test users · target 2026-05-14

Customer share link

https://ztna-success.globaldots.net/s/sh_6v9erq7vsd2s294n4qqy

Overall

0 / 13

criteria passed

POC phase

0 / 11

what the customer validates

Project kickoff

0 / 2

runs post-signing

POC view 0/11 Project kickoff 0/2 All 0/13

SIEM setup

observability Not started Project kickoff must have

Access, security, and admin-change events stream to the customer's SIEM with documented fields and retention meeting policy. Alerts can be built off the stream.

Status Priority Stage Due date Custom target (customer metric) Assigned to Notes / result

Test procedure — Cloudflare Zero Trust · Cloudflare Logpush → Splunk / Sentinel / Datadog / S3 / Google Cloud / generic HTTP

Vendor pack default (read-only):

1. Create Logpush jobs for Access, Gateway DNS, Gateway HTTP, Audit, WARP, and DNS Firewall (as applicable) to the target SIEM.
2. Trigger representative events: successful login, denied login, blocked URL, policy change.
3. Confirm events arrive in the SIEM within the documented delivery window and parse against the published schema.
4. Confirm admin-change events appear in the Audit stream.
5. Validate retention matches customer policy (Logpush supplies the events; retention is configured in the SIEM side).

Custom procedure for this POC (overrides default when set)

Pass threshold: All enabled event types arrive in the SIEM with expected fields parsed; admin-change events are present; delivery meets Cloudflare's documented timing.

Vendor docs →

Alerts and notifications

operations Not started Project kickoff should have

Critical events (tunnel down, cert expiry, policy change, quota breach, security incident) produce alerts to the right channel (email, Slack, webhook, PagerDuty) — no waiting for a user to report the outage.

Status Priority Stage Due date Custom target (customer metric) Assigned to Notes / result

Test procedure — Cloudflare Zero Trust · Cloudflare Notifications (account-wide, filtered by product/event) → Email / Webhook / PagerDuty / Slack (via webhook)

Vendor pack default (read-only):

1. In Notifications, create policies for at least three critical event types: tunnel health, WARP client health / posture, Access policy changes, certificate expiry.
2. Route each policy to the chosen channel (email / webhook / PagerDuty).
3. Trigger each event (stop a tunnel replica for tunnel-health, change a policy to test admin-change).
4. Confirm each notification arrives on the expected channel within the vendor's documented timing.
5. Adjust filters to reduce noise; confirm only intended events still alert.

Custom procedure for this POC (overrides default when set)

Pass threshold: Each configured alert fires on the correct event, reaches the target channel within documented SLA, and can be tuned without losing signal.

Vendor docs →

+ New custom criterion + Add criteria from library