The legitimate http CONNECT request/domain will be mapped to the x-http-connect-host field, while the attacking host/domain will be mapped to cs-host filed, in the access log.
Domain fronting is when the HTTP Host header or TCP port differs from the Host in the URL. For example:
CONNECT http://www.example.com/ HTTP/1.0
In the case above, www.example.com would be mapped to the x-http-connect-host field, while www.adifferentsite.com would be mapped to the cs-host filed.
Reference Doc. for Domain Fronting Detection: https://knowledge.broadcom.com/external/article/173281/domain-fronting-attack-detection-feature.html