Cloudflare
Integration version: 2.0
Product Use Cases
Perform enrichment of entities
Configure Cloudflare integration in Google Security Operations
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
API Root
|
String | https://api.cloudflare.com
|
Yes | API root of the Cloudflare instance. |
|
API Token
|
Password | N/A | Yes | API Token of the Cloudflare instance. |
|
Account Name
|
String | N/A | Yes | Name of the account that needs to be used in the integration. |
|
Verify SSL
|
Checkbox | Checked | No | If enabled, verifies that the SSL certificate for the connection to the Cloudflare server is valid. |
How to configure token
- Go to Profile Settingsand click API Tokens.
- Navigate to Create Token > Create Custom Tokenand select the following permissions:
| Account | Account WAF | Read |
| Account | Rule Policies | Read |
| Account | Account Filter Lists | Edit |
| Account | Account Firewall Access | Edit |
| Account | DNS Firewall | Read |
| Account | Account Settings | Read |
| Zone | Zone WAF | Edit |
| Zone | Zone Settings | Read |
| Zone | Zone | Read |
| Zone | Logs | Read |
| Zone | Firewall Services | Edit |
| Zone | Firewall Services | Read |
| Zone | Analytics | Read |
Actions
Add IP To Rule List
Description
Add IP addresses to the rule list in Cloudflare. Supported Entities: IP Address.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
|
Rule Name
|
String | N/A | Yes | Specify the name of the rule list to which you want to add rule list items. |
|
Description
|
String | N/A | No | Specify a description for the newly added rule list items. |
Run on
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"result"
:
{
"operation_id"
:
"f16b978552ca49f88b36fe628de31142"
},
"success"
:
true
,
"errors"
:
[],
"messages"
:
[]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If the 200 status code is reported for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for all (is_success=false): "None of the provided entities were added to the {name} rule list." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add IP To Rule List". Reason: {0}''.format(error.Stacktrace) If the list is not found: "Error executing action "Add IP To Rule List". Reason: rule list {name} wasn't found in Cloudflare.'' If the list is not of the valid kind: "Error executing action "Add IP To Rule List". Reason: rule list {name} is not of type "IP"." |
General |
Add URL To Rule List
Description
Add URLs to the rule list in Cloudflare. Supported Entities: URL.
Parameters
301
Possible Values:
- 301
- 302
- 307
- 308
Run on
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"result"
:
{
"operation_id"
:
"f16b978552ca49f88b36fe628de31142"
},
"success"
:
true
,
"errors"
:
[],
"messages"
:
[]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If the 200 status code for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not success for all entities (is_success=false): "None of the provided entities were added to the {name} rule list." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add URL To Rule List". Reason: {0}''.format(error.Stacktrace) If the list is not found: "Error executing action "Add URL To Rule List". Reason: rule list {name} wasn't found in Cloudflare.'' If the list is not of the valid kind: "Error executing action "Add URL To Rule List". Reason: rule list {name} is not of type "Redirect".' |
General |
Create Firewall Rule
Description
Create a firewall rule in Cloudflare.
Parameters
Block
Possible Values:
- Allow
- Block
- Bypass
- Log
- Legacy CAPTCHA
- Managed Challenge
- JS Challenge
Specify the action for the firewall rule.
If "Block" is selected, you need to provide values in the "Products" parameter.
Specify a comma-separated list of products for the firewall rule.
Note:This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter.
Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf
Specify a reference tag for the firewall rule.
Note:It can only be up to 50 characters long.
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
{
"id"
:
"b520c154bdeb4fe2a1f647b2c6b35829"
,
"paused"
:
false
,
"description"
:
"Blocks traffic identified during investigation for MIR-31"
,
"action"
:
"block"
,
"priority"
:
50
,
"filter"
:
{
"id"
:
"fc6dfad848c24a42ae5be0114db09fb9"
,
"expression"
:
"(ip.geoip.continent eq \"ASIA\")"
,
"paused"
:
false
},
"created_on"
:
"2022-07-25T11:19:22Z"
,
"modified_on"
:
"2022-07-25T11:19:22Z"
,
"index"
:
0
}
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If the 200 status code is reported (is_success=true): "Successfully created a new firewall rule in "{zone_name}" zone in Cloudflare.". The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Firewall Rule". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Create Firewall Rule". Reason: {0}''.format(errors/message) If the zone is not found: "Error executing action "Create Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.'' |
General |
Create Rule List
Description
Create a rule list in Cloudflare.
Parameters
IP Address
Possible Values:
- IP Address
- Redirect
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"id"
:
"d19589d629f140c0b961c467feadf99d"
,
"name"
:
"123"
,
"kind"
:
"ip"
,
"num_items"
:
0
,
"description"
:
"description"
,
"num_referencing_filters"
:
0
,
"created_on"
:
"2022-07-25T12:13:46Z"
,
"modified_on"
:
"2022-07-25T12:13:46Z"
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If the 200 status code is reported (is_success = true): "Successfully create a rule list in Cloudflare." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Create Rule List". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Create Rule List". Reason: {0}''.format(errors/message) |
General |
Enrich Entities
Description
Enrich entities using information from Cloudflare. Supported Entities: URL, IP, Hostname.
Parameters
N/A
Run on
This action runs on the following entities:
- IP Address
- URL
- Hostname
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
JSON Result for IP Address
{
"ip"
:
"192.0.2.0"
,
"belongs_to_ref"
:
{
"id"
:
"autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8"
,
"value"
:
13335
,
"type"
:
"hosting_provider"
,
"country"
:
"US"
,
"description"
:
"CLOUDFLARENET"
},
"risk_types"
:
[
{
"id"
:
131
,
"super_category_id"
:
21
,
"name"
:
"Phishing"
}
]
}
JSON Result for URL
{
"url"
:
"https://www.cloudflare.com"
,
"phishing"
:
false
,
"verified"
:
false
,
"score"
:
0.99
,
"classifier"
:
"MACHINE_LEARNING_v2"
}
JSON Result for Hostname
{
"domain"
:
"cloudflare.com"
,
"created_date"
:
"2009-02-17"
,
"updated_date"
:
"2017-05-24"
,
"registrant"
:
"DATA REDACTED"
,
"registrant_org"
:
"DATA REDACTED"
,
"registrant_country"
:
"United States"
,
"registrant_email"
:
"https://domaincontact.cloudflareregistrar.com/cloudflare.com"
,
"registrar"
:
"Cloudflare, Inc."
,
"nameservers"
:
[
"ns3.cloudflare.com"
,
"ns4.cloudflare.com"
,
"ns5.cloudflare.com"
,
"ns6.cloudflare.com"
,
"ns7.cloudflare.com"
]
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If the 200 status code is reported for one entity (is_success=true): "Successfully enriched the following entities in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to enrich the following entities in Cloudflare: {entity.identifier}." If not successful for all entities (is_success=false): "None of the provided entities were enriched." If the 403 status code is reported for IP (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich IPs you need to have "IP Overview" capabilities enabled in the Cloudflare account." If the 403 status code is reported for Hostname (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich domains you need to have "WHOIS" capabilities enabled in the Cloudflare account." If the 403 status code is reported for URL (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich URLs you need to have "Phishing URL Scanner" capabilities enabled in the Cloudflare account." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) If the 403 status code is reported for all entities (is_success=false): "You need to have "Phishing URL Scanner", "WHOIS" and "IP Overview" capabilities enabled in the Cloudflare account." |
General |
List Firewall Rules
Description
List available firewall rules in Cloudflare.
Parameters
Select One
Possible Values:
- Select One
- Name
- ID
- Action
Select One
Possible Values:
- Select one
- Equal
- Contains
Specify the filter logic that should be applied.
The filtering logic is based on the value provided in the "Filter Key" parameter.
Specify the value that should be used in the filter.
If "Equal" is selected, the action tries to find the exact match among results.
If "Contains" is selected, the action tries to find results that contain that substring.
If nothing is provided in this parameter, the filter is not applied.
The filtering logic is based on the value provided in the "Filter Key" parameter.
Specify the number of records to return.
If nothing is provided, the action returns 50 records.
Run on
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
"id"
:
"55ec8db30f9e4640b5d0d13cff6b5429"
,
"paused"
:
false
,
"description"
:
"rulle2"
,
"action"
:
"allow"
,
"filter"
:
{
"id"
:
"2bb05df8c4f547bd9792d8dc38a86b81"
,
"expression"
:
"(ip.geoip.country eq \"BG\")"
,
"paused"
:
false
},
"created_on"
:
"2022-07-05T13:53:39Z"
,
"modified_on"
:
"2022-07-05T13:53:39Z"
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If data is available (is_success=true): "Successfully found {item name} for the provided criteria in {product name}". If data is not available (is_success=false): "No {item name} were found for the provided criteria in {product name}" If the "Filter Value" parameter is empty (is_success=true): "The filter was not applied, because parameter "Filter Value" has an empty value." The action should fail and stop a playbook execution:
If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter." If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided." If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace) |
General |
|
Case Wall Table
|
Table Name:Available {item group} Table Columns:{fields} |
General |
Ping
Description
Test connectivity to Cloudflare with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run on
The action doesn't use any of the Google SecOps scope entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If successful: "Successfully connected to the SpyCloud server with the provided connection parameters!" The action should fail and stop a playbook execution:
If not successful: "Failed to connect to the SpyCloud server! Error is {0}".format(exception.stacktrace) If the account is not found: "Failed to connect to the Cloudflare server! Invalid account name was provided. Please check the spelling." |
General |
Update Firewall Rule
Description
Update a firewall rule in Cloudflare.
Run on
This action doesn't run on entities.
Parameters
Block
Possible Values:
- Allow
- Block
- Bypass
- Log
- Legacy CAPTCHA
- Managed Challenge
- JS Challenge
Specify the action for the firewall rule.
If "Block" is selected, you need to provide values in the "Products" parameter.
Specify a comma-separated list of products for the firewall rule.
Note:This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter.
Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf
Specify a reference tag for the firewall rule.
Note:It can only be up to 50 characters long.
Run on
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
{
{
"id"
:
"b520c154bdeb4fe2a1f647b2c6b35829"
,
"paused"
:
false
,
"description"
:
"Blocks traffic identified during investigation for MIR-31"
,
"action"
:
"block"
,
"priority"
:
50
,
"filter"
:
{
"id"
:
"fc6dfad848c24a42ae5be0114db09fb9"
,
"expression"
:
"(ip.geoip.continent eq \"ASIA\")"
,
"paused"
:
false
},
"created_on"
:
"2022-07-25T11:19:22Z"
,
"modified_on"
:
"2022-07-25T11:19:22Z"
,
"index"
:
0
}
}
Case Wall
| Result type | Value / Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution:
If the 200 status code is reported (is_success=true): "Successfully updated a firewall rule in "{zone_name}" zone in Cloudflare." The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Firewall Rule". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Update Firewall Rule". Reason: {0}''.format(errors/message) If the zone is not found: "Error executing action "Update Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.'' |
General |
Need more help? Get answers from Community members and Google SecOps professionals.
