Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol

To send Cloudflare Firewall or Cloudflare HTTP events to QRadar® when you use the HTTP Receiver protocol, you need to start the Logpush job that you created.

  1. To send Cloudflare Firewall events to QRadar, start the Logpush job that you created by typing the following command: 
    curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=Action,ClientIP,ClientASN,ClientASNDescription,ClientCountry,ClientIPClass,ClientRefererHost,ClientRefererPath,ClientRefererQuery,ClientRefererScheme,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestQuery,ClientRequestScheme,ClientRequestUserAgent,EdgeColoCode,EdgeResponseStatus,Kind,MatchIndex,Metadata,OriginResponseStatus,OriginatorRayID,RayID,RuleID,Source,Datetime&timestamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "firewall_events", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
  2. To send Cloudflare HTTP events to QRadar, start the Logpush job that you created by typing the following command:
    curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=ClientRequestMethod,EdgeResponseStatus,ClientIP,ClientSrcPort,CacheCacheStatus,ClientCountry,ClientDeviceType,ClientIPClass,ClientMTLSAuthCertFingerprint,ClientMTLSAuthStatus,ClientRegionCode,ClientRequestBytes,ClientRequestHost,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestScheme,ClientRequestSource,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientXRequestedWith,EdgeEndTimestamp,EdgeRequestHost,EdgeResponseBodyBytes,EdgeResponseBytes,EdgeServerIP,EdgeStartTimestamp,SecurityActions,SecurityRuleIDs,SecuritySources,OriginIP,OriginResponseStatus,OriginSSLProtocol,ParentRayID,RayID,SecurityAction,WAFAttackScore,SecurityRuleID,SecurityRuleDescription,WAFSQLiAttackScore,WAFXSSAttackScore,EdgeStartTimestamp&timestamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "http_requests", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
Important:
  • For the LogSource Port, you must choose one of the following open ports from Cloudflare:
    • 443 Do not use on QRadar console
    • 8088 QRadar on Cloud or On-premises
    • 2433 QRadar on On-premises only

When the command is executed, the events are forwarded to QRadar.