This article provides instructions for:

  • Where to find the required resources for the integration

  • How to ensure Cloudflare Log Retention is enabled and how to enable it if not

  • Create and provision the account for Expel with the required permissions


You must be a Cloudflare Enterprise customer to use this integration.


Create an email address for notifications

In your organization's system, you need to create an email address to receive notifications from Cloudflare. You need this address for actions like managing your access and resetting your password.

Expel integration with Cloudflare uses 3 key values from your Cloudflare account:


  • X-Auth-Email: the email address associated with the Administrator user of your Cloudflare account

  • X-Auth-Key: the Cloudflare API token

Step 1: Obtain Zone ID value

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. On the Overview page, find the API section.

  3. Copy these values for later. Click Click to copy. Paste them in a text file.

  4. Click the Get your API token link. Copy the token and paste it in the text file, too. The X-Auth-Key is the Cloudflare API token.

Step 2: Enable log retention

By default, HTTP request log retention isn't enabled. Enabling log retention is a requirement to support this integration. Run the following command to determine if your log retention is enabled or disabled.

Check to see if log retention is enabled

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" GET "<ZONE_ID>/logs/control/retention/flag" | jq .


  "errors": [],
  "messages": [],
  "result": {
    "flag": false
  "success": true


  • True = Log Retention is Enabled.

  • False = Log Retention is Disabled. If Log Retention is disabled, run the command below to enable it.

To enable log retention

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" POST "<ZONE_ID>/logs/control/retention/flag" -d'{"flag":true}' | jq .

  "errors": [],
  "messages": [],
  "result": {
    "flag": true
  "success": true

Step 3: Add Expel to Cloudflare

These steps explain how to:

  • Provision an Expel account and add it to your Cloudflare account

  • Grant relevant permissions to the Expel account

Provision the Expel SOC account to your Cloudflare


You must be logged in as a Super Administrator and have a verified email address.

  1. Log in to the Cloudflare dashboard and select your account.

  2. Go to Manage Account > Members.

  3. In the Invite members area, type the email address you created for notification purposes.

  4. Select Log Share Reader / Log Share Role.

  5. Click Invite.

Create API token for Expel SOC account

  1. From the Cloudflare dashboard, go to My Profile > API Tokens.

  2. Click Create Token.

  3. Select the Read analytics and logs template from the available API token templates or create a custom token with Analytics Read and Logs Read permissions.

  4. Add or edit the token name to describe why or how the token is used.

  5. Apply Logs Read to the Expel User’s API Token permissions. 

    • Select Zone → Logs Read.

    • Select Account → Logs Read.

  6. Select which resources (zones) the token is authorized to access. These are the resources you want Expel to monitor.

  7. Click Continue to summary.

  8. Review the token summary. Click Edit token to make adjustments. You can also edit the token later, if needed.

  9. Click Create Token to generate the token’s secret. Copy the secret to your text file.

  10. Coordinate with your engagement manager to securely send the token to Expel.

Step 4: Configure the technology in Workbench

  1. In a new browser tab, log into

  2. In the main menu, click Organization Settings.

  3. In the Organization Settings left-hand menu, click Security Devices.

  4. In the upper right corner of the page, click + Add Security Device.

  5. In the search field, type Cloudflare, and click this name.

  6. In the Add Security Device dialog box, type the following data:

    • Name: for example, type Cloudflare.

    • Location: for example, type Expel Lab.

    • Expel Cloudflare email: type the email address you used in Step 3.

    • API key for Expel Cloudflare email: type the API token you created in Step 3.

  7. Click Save.

  8. You can provide console access now or set it up later. Use the instructions below to set it up later.


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

cloud flare, cflare