Cloudflare

Integration version: 2.0

Product Use Cases

Perform enrichment of entities

Configure Cloudflare integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String https://api.cloudflare.com Yes API root of the Cloudflare instance.
API Token Password N/A Yes API Token of the Cloudflare instance.
Account Name String N/A Yes Name of the account that needs to be used in the integration.
Verify SSL Checkbox Checked No If enabled, verifies that the SSL certificate for the connection to the Cloudflare server is valid.

How to configure token

  1. Go to Profile Settings and click API Tokens.
  2. Navigate to Create Token > Create Custom Token and select the following permissions:
Account Account WAF Read
Account Rule Policies Read
Account Account Filter Lists Edit
Account Account Firewall Access Edit
Account DNS Firewall Read
Account Account Settings Read
Zone Zone WAF Edit
Zone Zone Settings Read
Zone Zone Read
Zone Logs Read
Zone Firewall Services Edit
Zone Firewall Services Read
Zone Analytics Read

List of required
permissions

Actions

Add IP To Rule List

Description

Add IP addresses to the rule list in Cloudflare. Supported Entities: IP Address.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Name String N/A Yes Specify the name of the rule list to which you want to add rule list items.
Description String N/A No Specify a description for the newly added rule list items.

Run on

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "result": {
        "operation_id": "f16b978552ca49f88b36fe628de31142"
    },
    "success": true,
    "errors": [],
    "messages": []
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for all (is_success=false): "None of the provided entities were added to the {name} rule list."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add IP To Rule List". Reason: {0}''.format(error.Stacktrace)

If the list is not found: "Error executing action "Add IP To Rule List". Reason: rule list {name} wasn't found in Cloudflare.''

If the list is not of the valid kind: "Error executing action "Add IP To Rule List". Reason: rule list {name} is not of type "IP"."

General

Add URL To Rule List

Description

Add URLs to the rule list in Cloudflare. Supported Entities: URL.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Name String N/A Yes Specify the name of the rule list to which you want to add rule list items.
Source URL String N/A Yes Specify the source URL for the rule list item.
Description String N/A No Specify a description for the newly added rule list items.
Status Code DDL

301

Possible Values:

  • 301
  • 302
  • 307
  • 308
No Specify the status for the rule list item.
Preserve Query String Checkbox Unchecked No If enabled, the rule list item preserves the query string.
Include Subdomains Checkbox Unchecked No If enabled, the rule list item includes subdomains.
Subpath Matching Checkbox Unchecked No If enabled, the rule list item matches the subpath.
Preserve Path Suffix Checkbox Unchecked No If enabled, the rule list item preserves the path suffix.

Run on

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "result": {
        "operation_id": "f16b978552ca49f88b36fe628de31142"
    },
    "success": true,
    "errors": [],
    "messages": []
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not success for all entities (is_success=false): "None of the provided entities were added to the {name} rule list."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add URL To Rule List". Reason: {0}''.format(error.Stacktrace)

If the list is not found: "Error executing action "Add URL To Rule List". Reason: rule list {name} wasn't found in Cloudflare.''

If the list is not of the valid kind: "Error executing action "Add URL To Rule List". Reason: rule list {name} is not of type "Redirect".'

General

Create Firewall Rule

Description

Create a firewall rule in Cloudflare.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Zone Name String N/A Yes Specify the name of the zone, which contains the firewall rule.
Name String N/A No Specify the name for the firewall rule.
Action DDL

Block

Possible Values:

  • Allow
  • Block
  • Bypass
  • Log
  • Legacy CAPTCHA
  • Managed Challenge
  • JS Challenge
No

Specify the action for the firewall rule.

If "Block" is selected, you need to provide values in the "Products" parameter.

Expression String N/A Yes Specify the expression for the firewall rule.
Products CSV N/A No

Specify a comma-separated list of products for the firewall rule.

Note: This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter.

Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf

Priority Integer N/A No Specify the priority for the firewall rule.
Reference Tag String N/A No

Specify a reference tag for the firewall rule.

Note: It can only be up to 50 characters long.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
        {
            "id": "b520c154bdeb4fe2a1f647b2c6b35829",
            "paused": false,
            "description": "Blocks traffic identified during investigation for MIR-31",
            "action": "block",
            "priority": 50,
            "filter": {
                "id": "fc6dfad848c24a42ae5be0114db09fb9",
                "expression": "(ip.geoip.continent eq \"ASIA\")",
                "paused": false
            },
            "created_on": "2022-07-25T11:19:22Z",
            "modified_on": "2022-07-25T11:19:22Z",
            "index": 0
        }
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully created a new firewall rule in "{zone_name}" zone in Cloudflare.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Firewall Rule". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Create Firewall Rule". Reason: {0}''.format(errors/message)

If the zone is not found: "Error executing action "Create Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''

General

Create Rule List

Description

Create a rule list in Cloudflare.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name for the rule list.
Type DDL

IP Address

Possible Values:

  • IP Address
  • Redirect
No Specify the type for the rule list.
Description String N/A No Specify the description for the rule list.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "id": "d19589d629f140c0b961c467feadf99d",
    "name": "123",
    "kind": "ip",
    "num_items": 0,
"description": "description",
    "num_referencing_filters": 0,
    "created_on": "2022-07-25T12:13:46Z",
    "modified_on": "2022-07-25T12:13:46Z"
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success = true): "Successfully create a rule list in Cloudflare."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Create Rule List". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Create Rule List". Reason: {0}''.format(errors/message)

General

Enrich Entities

Description

Enrich entities using information from Cloudflare. Supported Entities: URL, IP, Hostname.

Parameters

N/A

Run on

This action runs on the following entities:

  • IP Address
  • URL
  • Hostname

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
JSON Result for IP Address
{
    "ip": "192.0.2.0",
    "belongs_to_ref": {
      "id": "autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8",
      "value": 13335,
      "type": "hosting_provider",
      "country": "US",
      "description": "CLOUDFLARENET"
    },
    "risk_types": [
      {
        "id": 131,
        "super_category_id": 21,
        "name": "Phishing"
      }
    ]
}
JSON Result for URL
{
    "url": "https://www.cloudflare.com",
    "phishing": false,
    "verified": false,
    "score": 0.99,
    "classifier": "MACHINE_LEARNING_v2"
}
JSON Result for Hostname
{
    "domain": "cloudflare.com",
    "created_date": "2009-02-17",
    "updated_date": "2017-05-24",
    "registrant": "DATA REDACTED",
    "registrant_org": "DATA REDACTED",
    "registrant_country": "United States",
    "registrant_email": "https://domaincontact.cloudflareregistrar.com/cloudflare.com",
    "registrar": "Cloudflare, Inc.",
    "nameservers": [
      "ns3.cloudflare.com",
      "ns4.cloudflare.com",
      "ns5.cloudflare.com",
      "ns6.cloudflare.com",
      "ns7.cloudflare.com"
    ]
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported for one entity (is_success=true): "Successfully enriched the following entities in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to enrich the following entities in Cloudflare: {entity.identifier}."

If not successful for all entities (is_success=false): "None of the provided entities were enriched."

If the 403 status code is reported for IP (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich IPs you need to have "IP Overview" capabilities enabled in the Cloudflare account."

If the 403 status code is reported for Hostname

(if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich domains you need to have "WHOIS" capabilities enabled in the Cloudflare account."

If the 403 status code is reported for URL (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich URLs you need to have "Phishing URL Scanner" capabilities enabled in the Cloudflare account."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If the 403 status code is reported for all entities (is_success=false): "You need to have "Phishing URL Scanner", "WHOIS" and "IP Overview" capabilities enabled in the Cloudflare account."

General

List Firewall Rules

Description

List available firewall rules in Cloudflare.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Zone Name String N/A Yes Specify the name of the zone, which will contain the firewall rule.
Filter Key DDL

Select One

Possible Values:

  • Select One
  • Name
  • ID
  • Action
No Specify the key that needs to be used to filter {item type}.
Filter Logic DDL

Select One

Possible Values:

  • Select one
  • Equal
  • Contains
No

Specify the filter logic that should be applied.

The filtering logic is based on the value provided in the "Filter Key" parameter.

Filter Value String N/A No

Specify the value that should be used in the filter.

If "Equal" is selected, the action tries to find the exact match among results.

If "Contains" is selected, the action tries to find results that contain that substring.

If nothing is provided in this parameter, the filter is not applied.

The filtering logic is based on the value provided in the "Filter Key" parameter.

Max Records To Return Integer 50 No

Specify the number of records to return.

If nothing is provided, the action returns 50 records.

Run on

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "id": "55ec8db30f9e4640b5d0d13cff6b5429",
    "paused": false,
    "description": "rulle2",
    "action": "allow",
    "filter": {
        "id": "2bb05df8c4f547bd9792d8dc38a86b81",
        "expression": "(ip.geoip.country eq \"BG\")",
        "paused": false
    },
    "created_on": "2022-07-05T13:53:39Z",
    "modified_on": "2022-07-05T13:53:39Z"
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully found {item name} for the provided criteria in {product name}".

If data is not available (is_success=false): "No {item name} were found for the provided criteria in {product name}"

If the "Filter Value" parameter is empty (is_success=true):

"The filter was not applied, because parameter "Filter Value" has an empty value."

The action should fail and stop a playbook execution:

If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains":

"Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter."

If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided."

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: Available {item group}

Table Columns: {fields}

General

Ping

Description

Test connectivity to Cloudflare with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't use any of the Google Security Operations SOAR scope entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the SpyCloud server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the SpyCloud server! Error is {0}".format(exception.stacktrace)

If the account is not found: "Failed to connect to the Cloudflare server! Invalid account name was provided. Please check the spelling."

General

Update Firewall Rule

Description

Update a firewall rule in Cloudflare.

Run on

This action doesn't run on entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Name String N/A Yes Specify the name of the rule that needs to be updated.
Zone Name String N/A Yes Specify the name of the zone, which contains the firewall rule.
Action DDL

Block

Possible Values:

  • Allow
  • Block
  • Bypass
  • Log
  • Legacy CAPTCHA
  • Managed Challenge
  • JS Challenge
No

Specify the action for the firewall rule.

If "Block" is selected, you need to provide values in the "Products" parameter.

Expression String N/A Yes Specify the expression for the firewall rule.
Products CSV N/A No

Specify a comma-separated list of products for the firewall rule.

Note: This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter.

Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf

Priority Integer N/A No Specify the priority for the firewall rule.
Reference Tag String N/A No

Specify a reference tag for the firewall rule.

Note: It can only be up to 50 characters long.

Run on

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
        {
            "id": "b520c154bdeb4fe2a1f647b2c6b35829",
            "paused": false,
            "description": "Blocks traffic identified during investigation for MIR-31",
            "action": "block",
            "priority": 50,
            "filter": {
                "id": "fc6dfad848c24a42ae5be0114db09fb9",
                "expression": "(ip.geoip.continent eq \"ASIA\")",
                "paused": false
            },
            "created_on": "2022-07-25T11:19:22Z",
            "modified_on": "2022-07-25T11:19:22Z",
            "index": 0
        }
}
Case Wall
Result type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully updated a firewall rule in "{zone_name}" zone in Cloudflare."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Firewall Rule". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Update Firewall Rule". Reason: {0}''.format(errors/message)

If the zone is not found: "Error executing action "Update Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''

General