Configure Cloudflare to send events to IBM QRadar when you use the HTTP Receiver protocol
To send Cloudflare Firewall or Cloudflare HTTP events to QRadar® when you use the HTTP Receiver protocol, you need to start the Logpush job that you created.
- To send Cloudflare Firewall events to QRadar, start the Logpush job that
you created by typing the following command:
curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=Action,ClientIP,ClientASN,ClientASNDescription,ClientCountry,ClientIPClass,ClientRefererHost,ClientRefererPath,ClientRefererQuery,ClientRefererScheme,ClientRequestHost,ClientRequestMethod,ClientRequestPath,ClientRequestProtocol,ClientRequestQuery,ClientRequestScheme,ClientRequestUserAgent,EdgeColoCode,EdgeResponseStatus,Kind,MatchIndex,Metadata,OriginResponseStatus,OriginatorRayID,RayID,RuleID,Source,Datetime×tamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "firewall_events", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
- To send Cloudflare HTTP events to QRadar, start the Logpush job that
you created by typing the following command:
curl -s https://api.cloudflare.com/client/v4/zones/<zone_id>/logpush/jobs -X POST -d '{ "name": "<name>", "logpull_options": "fields=ClientRequestMethod,EdgeResponseStatus,ClientIP,ClientSrcPort,CacheCacheStatus,ClientCountry,ClientDeviceType,ClientIPClass,ClientMTLSAuthCertFingerprint,ClientMTLSAuthStatus,ClientRegionCode,ClientRequestBytes,ClientRequestHost,ClientRequestPath,ClientRequestProtocol,ClientRequestReferer,ClientRequestScheme,ClientRequestSource,ClientRequestURI,ClientRequestUserAgent,ClientSSLCipher,ClientSSLProtocol,ClientXRequestedWith,EdgeEndTimestamp,EdgeRequestHost,EdgeResponseBodyBytes,EdgeResponseBytes,EdgeServerIP,EdgeStartTimestamp,SecurityActions,SecurityRuleIDs,SecuritySources,OriginIP,OriginResponseStatus,OriginSSLProtocol,ParentRayID,RayID,SecurityAction,WAFAttackScore,SecurityRuleID,SecurityRuleDescription,WAFSQLiAttackScore,WAFXSSAttackScore,EdgeStartTimestamp×tamps=rfc3339", "destination_conf": "<QRadar_URL:LogSource_Port>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "http_requests", "enabled": true}' -H "X-Auth-Email: <X-Auth-Email>" -H "X-Auth-Key: <X-Auth-Key>"
Important:
- For the LogSource Port, you must choose one of the following open ports from Cloudflare:
- 443 Do not use on QRadar console
- 8088 QRadar on Cloud or On-premises
- 2433 QRadar on On-premises only
When the command is executed, the events are forwarded to QRadar.