Cloudflare WAF Pack

Use Cloudflare WAF to manage firewall rules, filters, and IP-lists.

What does this pack do?

This pack contains an integration, whose main purpose is to manage firewall rules in Cloudflare Services.

In addition, this pack includes XSIAM content.

We currently support the retrieval of events from Cloudflare WAF by using an HTTP Log Collector, and Cloudflare waf logpush v2.

On XSIAM:

Navigate to Settings -> Data Sources -> Add Data Source -> Custom - HTTP based Collector.
Click Connect Another Instance.
Set the Name and Compression and then set:
- Name as Cloudflare
- Compression gzip
- Log Format as JSON
- Vendor as cloudflare
- Product as waf
Creating a new HTTP Log Collector allows you to generate a unique token. Save it since it will be used later.
Click the 3 dots next to the newly created instance and copy the API URL. It will also be used later.

On Cloudflare:

In order to configure the logpush on the Cloudflare side, read this documentation.

Guidelines:

For the destination_conf, use the API URL (copied in step 5 on the XSIAM side) and the newly created token (copied in step 4 on the XSIAM side) to create a value in the following format: "{XSIAM API URL}?header_Authorization=Basic%20{XSIAM API Token}".
Important:
Make sure to specify under logpull_options in the Logpush API configuration the string EdgeEndTimestamp&timestamps=rfc3339.
This is in order to send this time field as a timestamp string, which will be used as the time of the event.
In addition, make sure to set the timezone of the logs to UTC (UTC+0).