Cloudflare Integration Guide

The guide is intended to assist the device administrators, while configuring their Cloudflare devices to forward logs to SIEM Collector.

Prerequisites:

To be able to pull logs using “GET zones/:zone_identifier/logs/received” API endpoint, you must have and Enterprise plan.

1       Create User or Use Existing User for this Integration.

Please create a new user with Administrator privileges or use existing user as per below link:

https://support.cloudflare.com/hc/en-us/articles/205065067-Setting-up-Multi-User-accounts-on-Cloudflare

2      Create an API Access Token under this User and Assign Permissions.

Below are the steps to create access token. To perform below steps login to Cloudflare with the Administrator account.

  1. Go to “My Profile”
  2. Go to “API Tokens”
  3. Click on Create Token

Give the API token permissions as depicted in below images:

Please set the TTL as per your company policy, we recommend keeping it at least for one year.

Note: Once the token expires, we need to generate a new token by rolling the token.

4.  Click on Copy button and save the token obtained in below step securely.

3      Allow access to API URL Event Collector.

Below is the communication matrix to allow the URL for Cloudflare API:

ID#

From-Event Collector

To-  CloudFlare

Port

Protocol

Description

Service Required For

1

X.X.X.X

api.cloudflare.com

443

TCP

REST API

1.It is required to provide configuration updates to the WinCollect agent and to use WinCollect in connected mode.

 

4      References

Cloudflare Guides:

https://support.cloudflare.com/hc/en-us/articles/205065067-Setting-up-Multi-User-accounts-on-Cloudflare

https://support.cloudflare.com/hc/en-us/articles/200167836-Managing-API-Tokens-and-Keys