Cloudflare Email Security with Google SecOps
This document explains how to integrate Cloudflare Email Security (formerly Area 1) with Google Security Operations (Google SecOps).
Integration version: 5.0
Integration parameters
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations.
Use the following parameters to configure the integration:
Parameter name | Type | Default value | Is mandatory | Description |
---|---|---|---|---|
Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
Description | String | N/A | No | Description of the Instance. |
Api Root | String | https://HOST:PORT | Yes | Address of the Area 1 instance. |
Username | String | N/A | Yes | The email address of the user which should be used to connect to Area 1. |
Password | Password | N/A | Yes | The password of the according user. |
Verify SSL | Checkbox | Checked | No | Use this checkbox, if your Area 1 connection requires an SSL verification. |
Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Get Recent Indicators
Get recent malicious indicators from Cloudflare Email Security that can be related to phishing.
Parameters
Parameter | Type | Default value | Description |
---|---|---|---|
Seconds Back | String | N/A | N/A |
Run on
This action runs on all entities.
Action results
Script result
Script result name | Value options | Example |
---|---|---|
Is_Success | True/False | Is_Success:False |
JSON result
[
{
"threat_categories":
[{
"classification_disposition": ["Unclassified"]
}],
"threat_name": "Microsoft Favicon Impersonation",
"item_name": "example.com/nc_assets/css/12/",
"item_type": "url",
"first_seen": 1550127499097,
"last_seen": 1550134395800
}, {
"threat_categories":
[{
"category": ["Universal"],
"threat_type": ["Actor Tool"],
"classification_disposition": ["Unclassified"]
}],
"threat_name": "Area 1 Identified Malicious",
"item_name": "e039e82c00e4ae0ddc92908c705350ec",
"item_type": "filehash",
"first_seen": 1550125103575,
"last_seen": 1550125103575
}
]
Ping
Test the connectivity to Cloudflare Email Security.
Run on
This action runs on all entities.
Action results
Script result
Script result name | Value options | Example |
---|---|---|
is_success | True/False | is_success:False |
Search Indicator
Search for indicators in Cloudflare Email Security by hash, URL, domain, IP address, or email address.
Run on
This action runs on all entities.
Action results
Entity enrichment
Enrichment rield name | Logic - When to apply |
---|---|
AREA1_category | Returns if it exists in JSON result |
AREA1_threat_type | Returns if it exists in JSON result |
AREA1_classification_disposition | Returns if it exists in JSON result |
AREA1_confidence_rating | Returns if it exists in JSON result |
AREA1_intervals | Returns if it exists in JSON result |
AREA1_value | Returns if it exists in JSON result |
AREA1_type | Returns if it exists in JSON result |
AREA1_name | Returns if it exists in JSON result |
Script result
Script result name | Value options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON result
[
{
"EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
"Entity": "indicator"
}, {
"EntityResult": "red",
"Entity": "tlp"
}, {
"EntityResult": 80,
"Entity": "overall_confidence"
}, {
"EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
"Entity": "name"
}, {
"EntityResult": [
{
"category": ["Universal"],
"threat_type": ["Actor Tool"],
"classification_disposition": ["Unclassified"]
}],
"Entity": "threat_categories"
}, {
"EntityResult": "drizzle",
"Entity": "author"
}, {
"EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
"Entity": "filehash"
}, {
"EntityResult": 1550125103522,
"Entity": "first_detected"
}, {
"EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
"Entity": "Hash_SHA1"
}, {
"EntityResult": "Area 1 Identified Malicious",
"Entity": "threat_name"
}, {
"EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
"Entity": "query_term"
}, {
"EntityResult": "MAICIOUS",
"Entity": "disposition"
}, {
"EntityResult": "file",
"Entity": "family"
}, {
"EntityResult": [
{
"category": "Indicator Category",
"confidence_rating": 80,
"intervals": [
{
"start": 1550120952000,
"end": "current"
}],
"value": "Universal"
}],
"Entity": "tag_histories"
}, {
"EntityResult": 1550125103522,
"Entity": "first_seen"
}, {
"EntityResult": [
{
"type": "Hash_MD5",
"name": "e412341be78003526999f77e8728526e"
}, {
"type": "Hash_SHA256",
"name": "61f006012d2bd7f43bc14ecbeb6a7e690f9d68b4b6b396dab5805be2da75c717"
}],
"Entity": "aliases"
}, {
"EntityResult": "Hash_SHA1", "Entity": "type"
}, {
"EntityResult": 1550120950000,
"Entity": "last_seen"
}
]
Need more help? Get answers from Community members and Google SecOps professionals.