Cloudflare Email Security with Google SecOps

This document explains how to integrate Cloudflare Email Security (formerly Area 1) with Google Security Operations (Google SecOps).

Integration version: 5.0

Integration parameters

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .

Use the following parameters to configure the integration:

Parameter name	Type	Default value	Is mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
Api Root	String	https:// `HOST` : `PORT`	Yes	Address of the Area 1 instance.
Username	String	N/A	Yes	The email address of the user which should be used to connect to Area 1.
Password	Password	N/A	Yes	The password of the according user.
Verify SSL	Checkbox	Checked	No	Use this checkbox, if your Area 1 connection requires an SSL verification.
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Get Recent Indicators

Get recent malicious indicators from Cloudflare Email Security that can be related to phishing.

Parameters

Parameter	Type	Default value	Description
Seconds Back	String	N/A	N/A

Run on

This action runs on all entities.

Action results

Script result

Script result name	Value options	Example
Is_Success	True/False	Is_Success:False

JSON result

  [ 
  
 { 
  
 "threat_categories" 
 : 
  
 [{ 
  
 "classification_disposition" 
 : 
  
 [ 
 "Unclassified" 
 ] 
  
 }], 
  
 "threat_name" 
 : 
  
 "Microsoft Favicon Impersonation" 
 , 
  
 "item_name" 
 : 
  
 "example.com/nc_assets/css/12/" 
 , 
  
 "item_type" 
 : 
  
 "url" 
 , 
  
 "first_seen" 
 : 
  
 1550127499097 
 , 
  
 "last_seen" 
 : 
  
 1550134395800 
  
 }, 
  
 { 
  
 "threat_categories" 
 : 
  
 [{ 
  
 "category" 
 : 
  
 [ 
 "Universal" 
 ], 
  
 "threat_type" 
 : 
  
 [ 
 "Actor Tool" 
 ], 
  
 "classification_disposition" 
 : 
  
 [ 
 "Unclassified" 
 ] 
  
 }], 
  
 "threat_name" 
 : 
  
 "Area 1 Identified Malicious" 
 , 
  
 "item_name" 
 : 
  
 "e039e82c00e4ae0ddc92908c705350ec" 
 , 
  
 "item_type" 
 : 
  
 "filehash" 
 , 
  
 "first_seen" 
 : 
  
 1550125103575 
 , 
  
 "last_seen" 
 : 
  
 1550125103575 
  
 } 
 ]

Ping

Test the connectivity to Cloudflare Email Security.

Run on

This action runs on all entities.

Action results

Script result

Script result name	Value options	Example
is_success	True/False	is_success:False

Search Indicator

Search for indicators in Cloudflare Email Security by hash, URL, domain, IP address, or email address.

Run on

This action runs on all entities.

Action results

Entity enrichment

Enrichment rield name	Logic - When to apply
AREA1_category	Returns if it exists in JSON result
AREA1_threat_type	Returns if it exists in JSON result
AREA1_classification_disposition	Returns if it exists in JSON result
AREA1_confidence_rating	Returns if it exists in JSON result
AREA1_intervals	Returns if it exists in JSON result
AREA1_value	Returns if it exists in JSON result
AREA1_type	Returns if it exists in JSON result
AREA1_name	Returns if it exists in JSON result

Script result

Script result name	Value options	Example
is_success	True/False	is_success:False

JSON result

  [ 
 { 
 "EntityResult" 
 : 
 "85f321d7f27916de21992c5284ff632db3db3481" 
 , 
 "Entity" 
 : 
 "indicator" 
 }, 
 { 
 "EntityResult" 
 : 
 "red" 
 , 
 "Entity" 
 : 
 "tlp" 
 }, 
 { 
 "EntityResult" 
 : 
 80 
 , 
 "Entity" 
 : 
 "overall_confidence" 
 }, 
 { 
 "EntityResult" 
 : 
 "85f321d7f27916de21992c5284ff632db3db3481" 
 , 
 "Entity" 
 : 
 "name" 
 }, 
 { 
 "EntityResult" 
 : 
 [ 
 { 
 "category" 
 : 
 [ 
 "Universal" 
 ], 
 "threat_type" 
 : 
 [ 
 "Actor Tool" 
 ], 
 "classification_disposition" 
 : 
 [ 
 "Unclassified" 
 ] 
 }], 
 "Entity" 
 : 
 "threat_categories" 
 }, 
 { 
 "EntityResult" 
 : 
 "drizzle" 
 , 
 "Entity" 
 : 
 "author" 
 }, 
 { 
 "EntityResult" 
 : 
 "85f321d7f27916de21992c5284ff632db3db3481" 
 , 
 "Entity" 
 : 
 "filehash" 
 }, 
 { 
 "EntityResult" 
 : 
 1550125103522 
 , 
 "Entity" 
 : 
 "first_detected" 
 }, 
 { 
 "EntityResult" 
 : 
 "85f321d7f27916de21992c5284ff632db3db3481" 
 , 
 "Entity" 
 : 
 "Hash_SHA1" 
 }, 
 { 
 "EntityResult" 
 : 
 "Area 1 Identified Malicious" 
 , 
 "Entity" 
 : 
 "threat_name" 
 }, 
 { 
 "EntityResult" 
 : 
 "85f321d7f27916de21992c5284ff632db3db3481" 
 , 
 "Entity" 
 : 
 "query_term" 
 }, 
 { 
 "EntityResult" 
 : 
 "MAICIOUS" 
 , 
 "Entity" 
 : 
 "disposition" 
 }, 
 { 
 "EntityResult" 
 : 
 "file" 
 , 
 "Entity" 
 : 
 "family" 
 }, 
 { 
 "EntityResult" 
 : 
 [ 
 { 
 "category" 
 : 
 "Indicator Category" 
 , 
 "confidence_rating" 
 : 
 80 
 , 
 "intervals" 
 : 
 [ 
 { 
 "start" 
 : 
 1550120952000 
 , 
 "end" 
 : 
 "current" 
 }], 
 "value" 
 : 
 "Universal" 
 }], 
 "Entity" 
 : 
 "tag_histories" 
 }, 
 { 
 "EntityResult" 
 : 
 1550125103522 
 , 
 "Entity" 
 : 
 "first_seen" 
 }, 
 { 
 "EntityResult" 
 : 
 [ 
 { 
 "type" 
 : 
 "Hash_MD5" 
 , 
 "name" 
 : 
 "e412341be78003526999f77e8728526e" 
 }, 
 { 
 "type" 
 : 
 "Hash_SHA256" 
 , 
 "name" 
 : 
 "61f006012d2bd7f43bc14ecbeb6a7e690f9d68b4b6b396dab5805be2da75c717" 
 }], 
 "Entity" 
 : 
 "aliases" 
 }, 
 { 
 "EntityResult" 
 : 
 "Hash_SHA1" 
 , 
 "Entity" 
 : 
 "type" 
 }, 
 { 
 "EntityResult" 
 : 
 1550120950000 
 , 
 "Entity" 
 : 
 "last_seen" 
 } 
 ]

Need more help? Get answers from Community members and Google SecOps professionals.