1. Expel Help Center
  2. Connect Your Technology
  3. A-C Integrations
  4. Cloudflare

Cloudflare WAF Setup for Workbench

This onboarding guide takes you through how to connect Cloudflare WAF to Expel Workbench.

Prerequisites

  1. You must be a Cloudflare Enterprise customer to use this integration.
  2. You must be using Cloudflare Web Application Firewall (WAF). This integration supports ONLY Cloudflare WAF events.
  3. In your organization's system, create an email address to receive notifications from Cloudflare. You need this address for actions like managing your access and resetting your password.

Quick Links

  1. Obtain Zone ID Value
  2. Enable Log Retention
  3. Add Expel to Cloudflare
  4. Add Cloudflare as a Security Device in Workbench
  5. Edit the Device to Add Console Access

Step 1: Obtain Zone ID Value

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. On the Overview page, find the API section.

  3. Copy these values for later. Click Click to copy. Save them in a secure place (not plaintext where others can access it).

  4. Click the Get your API token link. Copy the token and save it, too. The X-Auth-Key is the Cloudflare API token.

Step 2: Enable Log Retention

By default, HTTP request log retention isn't enabled. Enabling log retention is a requirement to support this integration. Run the following command to determine if your log retention is enabled or disabled.

Check to see if log retention is enabled

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" GET "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logs/control/retention/flag" | jq .

Response

{
  "errors": [],
  "messages": [],
  "result": {
    "flag": false
  },
  "success": true
}

Results

  • True = Log Retention is Enabled.

  • False = Log Retention is Disabled. If Log Retention is disabled, run the command below to enable it.

To enable log retention

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logs/control/retention/flag" -d'{"flag":true}' | jq .

{
  "errors": [],
  "messages": [],
  "result": {
    "flag": true
  },
  "success": true
}

Step 3: Add Expel to Cloudflare

These steps explain how to:

  • Provision an Expel account and add it to your Cloudflare account

  • Grant relevant permissions to the Expel account

Provision the Expel SOC account to Cloudflare

Note
You must be logged in as a Super Administrator and have a verified email address.

  1. Log in to the Cloudflare dashboard.

  2. In the left navigation, select Manage Account > Members.

  3. Select Invite.
  4. Complete the following information:
    1. Invite members - enter the email address you created for notification purposes (see Prerequisites if you have not done this yet).
    2. Scope - select the appropriate scope for your permissions.
    3. Roles - choose Analytics and Log Share Reader.
  5. Select Continue to summary.

  6. Select Invite.

Create API token for Expel SOC account

  1. From the Cloudflare dashboard, go to Profile > API Tokens.

  2. Select Create Token.

  3. Scroll down to the Custom token section and select Get started to create a custom token.

  4. For Token name, enter "Expel API Token".

  5. For Permissions, apply the following permissions:

    • Select Account > Account Analytics > Read.
    • Select Account > Logs > Read.
    • Select Zone > Analytics > Read.

    • Select Zone > Logs > Read.
      Screenshot 2025-07-07 at 4.57.14 PM.png

  6. In the next sections, select the account or zone resources the token is authorized to access. These are the resources you want Expel to monitor.

  7. Select Continue to summary.

  8. Review the token summary. If you need to make adjustments, select Edit token. You can also edit the token later, if needed.

  9. Select Create Token to generate the token's secret. Copy and save the secret to a safe place for use in a later step. For security, the token secret is only shown once and will not be available again.

Step 4: Add Cloudflare as a Security Device in Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. Log in to Workbench.

  2. In the side menu, navigate to Organization Settings > Security Devices.

  3. Select Add Security Device.

  4. In the search field, type "Cloudflare", and select the Cloudflare integration.

  5. Complete the fields as follows:

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName <technology>”; this name will display in Workbench under the Name column, and is a text string that you can filter on.

    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.

    • Expel Cloudflare email - enter the email address you used in Step 3.

    • API key for Expel Cloudflare email - enter the API token you created in Step 3.
      add_security_device_cloudflare.png

  6. Select Save.

  7. Your device should be created successfully within a few seconds. A few reminders:

    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.

    • To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.

    • Polling will happen first; data will be received after that. You must refresh the page to see updates.

    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.

Step 5: Edit the Device to Add Console Access

Expel requires console access to allow analysts to perform investigation and triage. Without this additional level of information, details cannot be verified by our analysts and an investigation cannot be initiated. For more information, see Why Expel Asks for Console Access.

  1. In Workbench, go to Organization Settings > Security Devices. Next to the Cloudflare device you just connected, click the down arrow and click Edit.

  2. In the Console Login section, complete the fields as follows:

    • Console URL - enter "https://dash.cloudflare.com/".

    • Username - type the user name you created above.

    • Password - type the password you created above.

    • Two-factor secret key (32-character code) - depending on how your organization enforces log-ins, this field may not apply to you. In these cases, you can leave it blank. This field is optional and if you have questions or concerns, contact Support.

  3. Click Save.

Related articles