This article provides instructions for:

  • Where to find the required resources for the integration

  • How to ensure Cloudflare Log Retention is enabled and how to enable it if not

  • Create and provision the account for Expel with the required permissions


You must be a Cloudflare Enterprise customer to use this integration.

Expel integration with Cloudflare uses 3 key values from your Cloudflare account:


  • X-Auth-Email: the email address associated with the Administrator user of your Cloudflare account

  • X-Auth-Key: the Cloudflare API token

Step 1: Obtain Zone ID value

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. On the Overview page, find the API section.

  3. Copy these values for later. Click Click to copy. Paste them in a text file.

  4. Click the Get your API token link. Copy the token and paste it in the text file, too. The X-Auth-Key is the Cloudflare API token.

Step 2: Enable log retention

By default, HTTP request log retention isn't enabled. Enabling log retention is a requirement to support this integration. Run the following command to determine if your log retention is enabled or disabled.

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" GET "<ZONE_ID>/logs/control/retention/flag" | jq .


  "errors": [],
  "messages": [],
  "result": {
    "flag": false
  "success": true


  • True = Log Retention is Enabled.

  • False = Log Retention is Disabled. If Log Retention is disabled, run the command below to enable it.

To enable log retention

curl -s -H "X-Auth-Email: <EMAIL>" -H "X-Auth-Key: <API_KEY>" POST "<ZONE_ID>/logs/control/retention/flag" -d'{"flag":true}' | jq .

  "errors": [],
  "messages": [],
  "result": {
    "flag": true
  "success": true

Step 3: Add Expel to Cloudflare

These steps explain how to:

  • Provision an Expel account and add it to your Cloudflare account

  • Grant relevant permissions to the Expel account

Provision the Expel SOC account to your Cloudflare


You must be logged in as a Super Administrator and have a verified email address.

  1. Log in to the Cloudflare dashboard and select your account.

  2. Go to Manage Account > Members.

  3. In the Invite members area, type one or more email addresses. soc+<Your Organization Name>

  4. Select Log Share Reader / Log Share Role.

  5. Click Invite.

Create API token for Expel SOC account

  1. From the Cloudflare dashboard, go to My Profile > API Tokens.

  2. Click Create Token.

  3. Select the Read analytics and logs template from the available API token templates or create a custom token with Analytics Read and Logs Read permissions.

  4. Add or edit the token name to describe why or how the token is used.

  5. Apply Logs Read to the Expel User’s API Token permissions. 

    • Select Zone → Logs Read.

    • Select Account → Logs Read.

  6. Select which resources (zones) the token is authorized to access. These are the resources you want Expel to monitor.

  7. Click Continue to summary.

  8. Review the token summary. Click Edit token to make adjustments. You can also edit the token later, if needed.

  9. Click Create Token to generate the token’s secret. Copy the secret to your text file.

  10. Coordinate with your engagement manager to securely send the token to Expel.


Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

cloud flare, cflare