Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol
To send Cloudflare Firewall or Cloudflare HTTP events to QRadar when you use the HTTP Receiver protocol, you need to start the Logpush job that you created.
- To send Cloudflare Firewall events to QRadar, start the Logpush job that
you created by typing the following command:
curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=Action,ClientIP,ClientASN,ClientASNDescription,ClientCountry,ClientIPClass,ClientRefererHost,ClientRefererPath,ClientRefererQuery,ClientRefererScheme,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestQuery,ClientRequestScheme,ClientRequestUserAgent,EdgeColoCode,EdgeResponseStatus,Kind,MatchIndex,Metadata,OriginResponseStatus,OriginatorRayID,RayID,RuleID,Source,Datetime×tamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "firewall_events", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
- To send Cloudflare HTTP events to QRadar, start the Logpush job that
you created by typing the following command:
curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=ClientRequestMethod,EdgeResponseStatus,ClientIP,ClientSrcPort,CacheCacheStatus,ClientCountry,ClientDeviceType,ClientIPClass,ClientMTLSAuthCertFingerprint,ClientMTLSAuthStatus,ClientRegionCode,ClientRequestBytes,ClientRequestHost,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestScheme,ClientRequestSource,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientXRequestedWith,EdgeEndTimestamp,EdgeRequestHost,EdgeResponseBodyBytes,EdgeResponseBytes,EdgeServerIP,EdgeStartTimestamp,SecurityActions,SecurityRuleIDs,SecuritySources,OriginIP,OriginResponseStatus,OriginSSLProtocol,ParentRayID,RayID,SecurityAction,WAFAttackScore,SecurityRuleID,SecurityRuleDescription,WAFSQLiAttackScore,WAFXSSAttackScore,EdgeStartTimestamp×tamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "http_requests", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
Important:
- For the LogSource Port, you must choose one of the following open ports from Cloudflare:
- 443 Do not use on QRadar® console
- 8088 QRadar on Cloud or On-premises
- 2433 QRadar on On-premises only
When the command is executed, the events are forwarded to QRadar.