Cloudflare

Integration version: 1.0

Product Use Cases

Perform enrichment of entities

Configure Cloudflare integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
API Root	String	`https://api.cloudflare.com`	Yes	API root of the Cloudflare instance.
API Token	Password	N/A	Yes	API Token of the Cloudflare instance.
Account Name	String	N/A	Yes	Name of the account that needs to be used in the integration.
Verify SSL	Checkbox	Checked	No	If enabled, verifies that the SSL certificate for the connection to the Cloudflare server is valid.

How to configure token

Go to Profile Settings and click API Tokens.
Navigate to Create Token > Create Custom Token and select the following permissions:

Account	Account WAF	Read
Account	Rule Policies	Read
Account	Account Filter Lists	Edit
Account	Account Firewall Access	Edit
Account	DNS Firewall	Read
Account	Account Settings	Read
Zone	Zone WAF	Edit
Zone	Zone Settings	Read
Zone	Zone	Read
Zone	Logs	Read
Zone	Firewall Services	Edit
Zone	Firewall Services	Read
Zone	Analytics	Read

List of required
permissions

Actions

Add IP To Rule List

Description

Add IP addresses to the rule list in Cloudflare. Supported Entities: IP Address.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Rule Name	String	N/A	Yes	Specify the name of the rule list to which you want to add rule list items.
Description	String	N/A	No	Specify a description for the newly added rule list items.

Run on

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "result": {
        "operation_id": "f16b978552ca49f88b36fe628de31142"
    },
    "success": true,
    "errors": [],
    "messages": []
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for all (is_success=false): "None of the provided entities were added to the {name} rule list." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add IP To Rule List". Reason: {0}''.format(error.Stacktrace) If the list is not found: "Error executing action "Add IP To Rule List". Reason: rule list {name} wasn't found in Cloudflare.'' If the list is not of the valid kind: "Error executing action "Add IP To Rule List". Reason: rule list {name} is not of type "IP"."	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for all (is_success=false): "None of the provided entities were added to the {name} rule list."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add IP To Rule List". Reason: {0}''.format(error.Stacktrace)

If the list is not found: "Error executing action "Add IP To Rule List". Reason: rule list {name} wasn't found in Cloudflare.''

If the list is not of the valid kind: "Error executing action "Add IP To Rule List". Reason: rule list {name} is not of type "IP"."

General

Add URL To Rule List

Description

Add URLs to the rule list in Cloudflare. Supported Entities: URL.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Rule Name	String	N/A	Yes	Specify the name of the rule list to which you want to add rule list items.
Source URL	String	N/A	Yes	Specify the source URL for the rule list item.
Description	String	N/A	No	Specify a description for the newly added rule list items.
Status Code	DDL	301 Possible Values: 301 302 307 308	No	Specify the status for the rule list item.
Preserve Query String	Checkbox	Unchecked	No	If enabled, the rule list item preserves the query string.
Include Subdomains	Checkbox	Unchecked	No	If enabled, the rule list item includes subdomains.
Subpath Matching	Checkbox	Unchecked	No	If enabled, the rule list item matches the subpath.
Preserve Path Suffix	Checkbox	Unchecked	No	If enabled, the rule list item preserves the path suffix.

Run on

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "result": {
        "operation_id": "f16b978552ca49f88b36fe628de31142"
    },
    "success": true,
    "errors": [],
    "messages": []
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}." If not success for all entities (is_success=false): "None of the provided entities were added to the {name} rule list." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add URL To Rule List". Reason: {0}''.format(error.Stacktrace) If the list is not found: "Error executing action "Add URL To Rule List". Reason: rule list {name} wasn't found in Cloudflare.'' If the list is not of the valid kind: "Error executing action "Add URL To Rule List". Reason: rule list {name} is not of type "Redirect".'	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code for one entity (is_success=true): "Successfully added the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to add the following entities to the {name} rule list in Cloudflare: {entity.identifier}."

If not success for all entities (is_success=false): "None of the provided entities were added to the {name} rule list."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Add URL To Rule List". Reason: {0}''.format(error.Stacktrace)

If the list is not found: "Error executing action "Add URL To Rule List". Reason: rule list {name} wasn't found in Cloudflare.''

If the list is not of the valid kind: "Error executing action "Add URL To Rule List". Reason: rule list {name} is not of type "Redirect".'

General

Create Firewall Rule

Description

Create a firewall rule in Cloudflare.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Zone Name	String	N/A	Yes	Specify the name of the zone, which contains the firewall rule.
Name	String	N/A	No	Specify the name for the firewall rule.
Action	DDL	Block Possible Values: Allow Block Bypass Log Legacy CAPTCHA Managed Challenge JS Challenge	No	Specify the action for the firewall rule. If "Block" is selected, you need to provide values in the "Products" parameter.
Expression	String	N/A	Yes	Specify the expression for the firewall rule.
Products	CSV	N/A	No	Specify a comma-separated list of products for the firewall rule. Note: This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter. Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf
Priority	Integer	N/A	No	Specify the priority for the firewall rule.
Reference Tag	String	N/A	No	Specify a reference tag for the firewall rule. Note: It can only be up to 50 characters long.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
        {
            "id": "b520c154bdeb4fe2a1f647b2c6b35829",
            "paused": false,
            "description": "Blocks traffic identified during investigation for MIR-31",
            "action": "block",
            "priority": 50,
            "filter": {
                "id": "fc6dfad848c24a42ae5be0114db09fb9",
                "expression": "(ip.geoip.continent eq \"ASIA\")",
                "paused": false
            },
            "created_on": "2022-07-25T11:19:22Z",
            "modified_on": "2022-07-25T11:19:22Z",
            "index": 0
        }
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully created a new firewall rule in "{zone_name}" zone in Cloudflare.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Firewall Rule". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Create Firewall Rule". Reason: {0}''.format(errors/message) If the zone is not found: "Error executing action "Create Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully created a new firewall rule in "{zone_name}" zone in Cloudflare.".

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Create Firewall Rule". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Create Firewall Rule". Reason: {0}''.format(errors/message)

If the zone is not found: "Error executing action "Create Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''

General

Create Rule List

Description

Create a rule list in Cloudflare.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name for the rule list.
Type	DDL	IP Address Possible Values: IP Address Redirect	No	Specify the type for the rule list.
Description	String	N/A	No	Specify the description for the rule list.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Name

String

N/A

Yes

Specify the name for the rule list.

Type

DDL

IP Address

Possible Values:

IP Address
Redirect

Specify the type for the rule list.

Description

String

N/A

Specify the description for the rule list.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "id": "d19589d629f140c0b961c467feadf99d",
    "name": "123",
    "kind": "ip",
    "num_items": 0,
"description": "description",
    "num_referencing_filters": 0,
    "created_on": "2022-07-25T12:13:46Z",
    "modified_on": "2022-07-25T12:13:46Z"
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success = true): "Successfully create a rule list in Cloudflare." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Create Rule List". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Create Rule List". Reason: {0}''.format(errors/message)	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success = true): "Successfully create a rule list in Cloudflare."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Create Rule List". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Create Rule List". Reason: {0}''.format(errors/message)

General

Enrich Entities

Description

Enrich entities using information from Cloudflare. Supported Entities: URL, IP, Hostname.

Parameters

N/A

Run on

This action runs on the following entities:

IP Address
URL
Hostname

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

JSON Result for IP Address

{
    "ip": "192.0.2.0",
    "belongs_to_ref": {
      "id": "autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8",
      "value": 13335,
      "type": "hosting_provider",
      "country": "US",
      "description": "CLOUDFLARENET"
    },
    "risk_types": [
      {
        "id": 131,
        "super_category_id": 21,
        "name": "Phishing"
      }
    ]
}

JSON Result for URL

{
    "url": "https://www.cloudflare.com",
    "phishing": false,
    "verified": false,
    "score": 0.99,
    "classifier": "MACHINE_LEARNING_v2"
}

JSON Result for Hostname

{
    "domain": "cloudflare.com",
    "created_date": "2009-02-17",
    "updated_date": "2017-05-24",
    "registrant": "DATA REDACTED",
    "registrant_org": "DATA REDACTED",
    "registrant_country": "United States",
    "registrant_email": "https://domaincontact.cloudflareregistrar.com/cloudflare.com",
    "registrar": "Cloudflare, Inc.",
    "nameservers": [
      "ns3.cloudflare.com",
      "ns4.cloudflare.com",
      "ns5.cloudflare.com",
      "ns6.cloudflare.com",
      "ns7.cloudflare.com"
    ]
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported for one entity (is_success=true): "Successfully enriched the following entities in Cloudflare: {entity.identifier}." If not successful for one entity (is_success=true): "Action wasn't able to enrich the following entities in Cloudflare: {entity.identifier}." If not successful for all entities (is_success=false): "None of the provided entities were enriched." If the 403 status code is reported for IP (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich IPs you need to have "IP Overview" capabilities enabled in the Cloudflare account." If the 403 status code is reported for Hostname (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich domains you need to have "WHOIS" capabilities enabled in the Cloudflare account." If the 403 status code is reported for URL (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich URLs you need to have "Phishing URL Scanner" capabilities enabled in the Cloudflare account." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) If the 403 status code is reported for all entities (is_success=false): "You need to have "Phishing URL Scanner", "WHOIS" and "IP Overview" capabilities enabled in the Cloudflare account."	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported for one entity (is_success=true): "Successfully enriched the following entities in Cloudflare: {entity.identifier}."

If not successful for one entity (is_success=true): "Action wasn't able to enrich the following entities in Cloudflare: {entity.identifier}."

If not successful for all entities (is_success=false): "None of the provided entities were enriched."

If the 403 status code is reported for IP (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich IPs you need to have "IP Overview" capabilities enabled in the Cloudflare account."

If the 403 status code is reported for Hostname

(if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich domains you need to have "WHOIS" capabilities enabled in the Cloudflare account."

If the 403 status code is reported for URL (if at least one entity is enriched is_success=true, in other case is_success=false): "In order to enrich URLs you need to have "Phishing URL Scanner" capabilities enabled in the Cloudflare account."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, or other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If the 403 status code is reported for all entities (is_success=false): "You need to have "Phishing URL Scanner", "WHOIS" and "IP Overview" capabilities enabled in the Cloudflare account."

General

List Firewall Rules

Description

List available firewall rules in Cloudflare.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Zone Name	String	N/A	Yes	Specify the name of the zone, which will contain the firewall rule.
Filter Key	DDL	Select One Possible Values: Select One Name ID Action	No	Specify the key that needs to be used to filter {item type}.
Filter Logic	DDL	Select One Possible Values: Select one Equal Contains	No	Specify the filter logic that should be applied. The filtering logic is based on the value provided in the "Filter Key" parameter.
Filter Value	String	N/A	No	Specify the value that should be used in the filter. If "Equal" is selected, the action tries to find the exact match among results. If "Contains" is selected, the action tries to find results that contain that substring. If nothing is provided in this parameter, the filter is not applied. The filtering logic is based on the value provided in the "Filter Key" parameter.
Max Records To Return	Integer	50	No	Specify the number of records to return. If nothing is provided, the action returns 50 records.

Run on

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "id": "55ec8db30f9e4640b5d0d13cff6b5429",
    "paused": false,
    "description": "rulle2",
    "action": "allow",
    "filter": {
        "id": "2bb05df8c4f547bd9792d8dc38a86b81",
        "expression": "(ip.geoip.country eq \"BG\")",
        "paused": false
    },
    "created_on": "2022-07-05T13:53:39Z",
    "modified_on": "2022-07-05T13:53:39Z"
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully found {item name} for the provided criteria in {product name}". If data is not available (is_success=false): "No {item name} were found for the provided criteria in {product name}" If the "Filter Value" parameter is empty (is_success=true): "The filter was not applied, because parameter "Filter Value" has an empty value." The action should fail and stop a playbook execution: If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter." If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided." If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Name: Available {item group} Table Columns: {fields}	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If data is available (is_success=true): "Successfully found {item name} for the provided criteria in {product name}".

If data is not available (is_success=false): "No {item name} were found for the provided criteria in {product name}"

If the "Filter Value" parameter is empty (is_success=true):

"The filter was not applied, because parameter "Filter Value" has an empty value."

The action should fail and stop a playbook execution:

If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains":

"Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter."

If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": . Positive number should be provided."

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "{action name}". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Name: Available {item group}

Table Columns: {fields}

General

Ping

Description

Test connectivity to Cloudflare with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

The action doesn't use any of the Google Security Operations SOAR scope entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

N/A

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the SpyCloud server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the SpyCloud server! Error is {0}".format(exception.stacktrace) If the account is not found: "Failed to connect to the Cloudflare server! Invalid account name was provided. Please check the spelling."	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the SpyCloud server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the SpyCloud server! Error is {0}".format(exception.stacktrace)

If the account is not found: "Failed to connect to the Cloudflare server! Invalid account name was provided. Please check the spelling."

General

Update Firewall Rule

Description

Update a firewall rule in Cloudflare.

Run on

This action doesn't run on entities.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Rule Name	String	N/A	Yes	Specify the name of the rule that needs to be updated.
Zone Name	String	N/A	Yes	Specify the name of the zone, which contains the firewall rule.
Action	DDL	Block Possible Values: Allow Block Bypass Log Legacy CAPTCHA Managed Challenge JS Challenge	No	Specify the action for the firewall rule. If "Block" is selected, you need to provide values in the "Products" parameter.
Expression	String	N/A	Yes	Specify the expression for the firewall rule.
Products	CSV	N/A	No	Specify a comma-separated list of products for the firewall rule. Note: This parameter is only mandatory, if "Bypass" is selected for the "Action" parameter. Possible values: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, waf
Priority	Integer	N/A	No	Specify the priority for the firewall rule.
Reference Tag	String	N/A	No	Specify a reference tag for the firewall rule. Note: It can only be up to 50 characters long.

Run on

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
        {
            "id": "b520c154bdeb4fe2a1f647b2c6b35829",
            "paused": false,
            "description": "Blocks traffic identified during investigation for MIR-31",
            "action": "block",
            "priority": 50,
            "filter": {
                "id": "fc6dfad848c24a42ae5be0114db09fb9",
                "expression": "(ip.geoip.continent eq \"ASIA\")",
                "paused": false
            },
            "created_on": "2022-07-25T11:19:22Z",
            "modified_on": "2022-07-25T11:19:22Z",
            "index": 0
        }
}

Case Wall

Result type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success=true): "Successfully updated a firewall rule in "{zone_name}" zone in Cloudflare." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Firewall Rule". Reason: {0}''.format(error.Stacktrace) If the errors list is not empty: "Error executing action "Update Firewall Rule". Reason: {0}''.format(errors/message) If the zone is not found: "Error executing action "Update Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''	General

Result type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If the 200 status code is reported (is_success=true): "Successfully updated a firewall rule in "{zone_name}" zone in Cloudflare."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Firewall Rule". Reason: {0}''.format(error.Stacktrace)

If the errors list is not empty: "Error executing action "Update Firewall Rule". Reason: {0}''.format(errors/message)

If the zone is not found: "Error executing action "Update Firewall Rule". Reason: zone {zone_name} wasn't found in Cloudflare.''

General