Skip to main content

Cloudflare Zero Trust

This Integration is part of the Cloudflare Zero Trust Pack.#

Supported versions

Supported Cortex XSOAR versions: 8.4.0 and later.

Cloudflare provides network and security products for consumers and businesses, utilizing reverse proxies for web traffic, edge computing, and a content distribution network to provide content across its network of servers. This integration was integrated and tested with version 1 of Cloudflare Zero Trust.

Authorization#

Two authorization types are supported:

  • API Token - Requires generating an account or a user API token.
  • Global API Key (Legacy) - Requires retrieving the global API key and finding the associated Email address.

Refer to the integration help section for detailed instructions on how to attain the required credentials.

Token Permissions#

The API Token authorization method requires an access token with the following permissions:

  • Account - Account Settings - Read
  • Account - Access: Audit Logs - Read

Note: It is recommended to use an account token (instead of a user token) to set up this integration.

Configure Cloudflare Zero Trust in Cortex#

ParameterRequiredAdditional Info
Server URLTrueThe base URL for the Cloudflare API (e.g., https://api.cloudflare.com).
Account IDTrueObtain from the Account Overview page.
Trust any certificate (not secure)False
Use system proxy settingsFalse
Authorization TypeTruePossible values are: API Token, Global API Key (Legacy). Default value is Global API Key (Legacy).
API TokenFalseObtain from the Cloudflare API Tokens page.
API EmailFalseObtain from the Cloudflare Profile page.
Global API KeyFalseObtain from the Cloudflare API Tokens page.
Event types to fetchTrueSpecify the types of events to fetch. Possible values are: Account Audit Logs, User Audit Logs, and Access Authentication Logs.
Maximum number of account audit logs per fetchFalse
Maximum number of user audit logs per fetchFalse
Maximum number of access authentication logs per fetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cloudflare-zero-trust-get-events#


Gets events from Cloudflare Zero Trust.

Base Command#

cloudflare-zero-trust-get-events

Input#

Argument NameDescriptionRequired
limitThe number of events to return per type. Default is 10.Optional
should_push_eventsIf true, the command will create events, otherwise it will only display them. Possible values are: true, false. Default is false.Optional
start_dateThe start date from which to filter events.Optional
event_types_to_fetchComma-separated list of event types to fetch. Possible values are: Account Audit Logs, User Audit Logs, Access Authentication Logs. Default is Account Audit Logs,User Audit Logs.Optional

Context Output#

There is no context output for this command.