This onboarding guide takes you through how to connect Cloudflare to Expel Workbench.

Prerequisites

  1. You must be a Cloudflare Enterprise customer to use this integration.
  2. You must be using Cloudflare Web Application Firewall (WAF). This integration supports ONLY Cloudflare WAF events.
  3. In your organization's system, create an email address to receive notifications from Cloudflare. You need this address for actions like managing your access and resetting your password.

Quick Links

    1. Obtain Zone ID Value
    2. Enable Log Retention
    3. Add Expel to Cloudflare
    4. Add Cloudflare as a Security Device in Workbench
    5. Edit the Device to Add Console Access

Step 1: Obtain Zone ID Value

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. On the Overview page, find the API section.

  3. Copy these values for later. Click Click to copy. Paste them in a text file.

  4. Click the Get your API token link. Copy the token and paste it in the text file, too. The X-Auth-Key is the Cloudflare API token.

Step 2: Enable Log Retention

By default, HTTP request log retention isn't enabled. Enabling log retention is a requirement to support this integration. Run the following command to determine if your log retention is enabled or disabled.

Check to see if log retention is enabled

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" GET "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logs/control/retention/flag" | jq .

Response

{
  "errors": [],
  "messages": [],
  "result": {
    "flag": false
  },
  "success": true
}

Results

  • True = Log Retention is Enabled.

  • False = Log Retention is Disabled. If Log Retention is disabled, run the command below to enable it.

To enable log retention

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/logs/control/retention/flag" -d'{"flag":true}' | jq .

{
  "errors": [],
  "messages": [],
  "result": {
    "flag": true
  },
  "success": true
}

Step 3: Add Expel to Cloudflare

These steps explain how to:

  • Provision an Expel account and add it to your Cloudflare account

  • Grant relevant permissions to the Expel account

Provision the Expel SOC account to Cloudflare

Note
You must be logged in as a Super Administrator and have a verified email address.

  1. Log in to the Cloudflare dashboard and select your account.

  2. Go to Manage Account > Members.

  3. Select Invite.
  4. Fill out the following information:
    1. Invite members - type the email address you created for notification purposes.
    2. Roles - choose Analytics.
  5. Click Invite.

Create API token for Expel SOC account

  1. From the Cloudflare dashboard, go to My Profile > API Tokens.

  2. Click Create Token.

  3. Select the “Read all resources” template from the available API token templates

  4. Add or edit the token name to describe why or how the token is used.

  5. Apply Logs Read to the Expel User’s API Token permissions. 

    • Select Zone → Logs Read.

    • Select Account → Logs Read.

  6. Select which resources (zones) the token is authorized to access. These are the resources you want Expel to monitor.

  7. Click Continue to summary.

  8. Review the token summary. Click Edit token to make adjustments. You can also edit the token later, if needed.

  9. Click Create Token to generate the token’s secret. Copy the secret to your text file.

  10. Coordinate with your engagement manager to securely send the token to Expel.

Step 4: Add Cloudflare as a Security Device in Workbench

  1. Log in to Workbench.

  2. In the side menu, navigate to Organization Settings > Security Devices.

  3. Select Add Security Device.

  4. In the search field, type "Cloudflare", and select the Cloudflare integration.

  5. Complete the fields as follows:

    • Name - enter a name that might help you more easily identify this integration, such as “CompanyName <technology>”; this name will display in Workbench under the Name column, and is a text string that you can filter on.

    • Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.

    • Expel Cloudflare email - enter the email address you used in Step 3.

    • API key for Expel Cloudflare email - enter the API token you created in Step 3.
      add_security_device_cloudflare.png

  6. Select Save.

  7. Your device should be created successfully within a few seconds. A few reminders:

    • After your connection is healthy, it will take some time for your device to begin polling and receiving data.

    • To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.

    • Polling will happen first; data will be received after that. You must refresh the page to see updates.

    • If your device does not begin polling within 15 minutes, and does not begin receiving data within 30 minutes, contact our support team for help.

Step 5: Edit the Device to Add Console Access