Recorded Future's Collective Insights is a new type of Recorded Future analytics that gives you a complete view of what threats matter to your organization. Collective Insights enables you to analyze detected incidents to create an intelligence resource for use in two ways:
- Provides a comprehensive view of detections across you infrastructure and controls
- Anonymized data can be used to create visualizations and analytics that compare threat vectors and the entire threat landscape for your enterprise with specific industries and geographies
The Cloudflare Collective Insights Connector pulls Cloudflare Firewall Events from the GraphQL API. Firewall events consist of HTTP requests that have triggered a firewall security rule. The connector does not pull raw network logs from Cloudflare, only events that have already been marked as malicious.
Source IP addresses are the only indicators ingested by Collective Insights, as that’s the only IOC available from this endpoint.
The following data points are collected from Cloudflare Firewall Events into Collective Insights:
- datetime
- clientIP
- source
- description
- action
Getting Started
To enable the Recorded Future integration for Cloudflare, navigate to the Integration Center in the left-hand menu.
Click the Cloudflare tile.
You will see additional details and resources for the integration. Click the blue Set up button.
Note: You must be an administrator to see the Set up button.
Enter the requested information in the setup modal that displays.
- Connector Name: Collective Insights Connector For Cloudflare
-
Cloudflare Authentication
- Access Token: a custom Cloudflare Access Token can be generated by following these instructions. (Please refer to FAQ for permissions needed for the custom token)
- Zone ID: The Zone ID of the zone to pull events from. Currently the connector only supports pulling events from one zone at a time
-
Detection Parameters
- Sources Filter: Filters events to ones that match one or more specified Sources. Leaving this field blank will pull events from all sources. Examples: waf, firewall rules, rate limit.
- Actions Filter: Filter events to ones that match one of more specified actions. Leaving this field blank will pull events from all actions. Examples: allow, block, log, challenge
- Connector Update Frequency: The frequency with which you want to update the Connector (default: 30 minutes)
-
Initial Import
- Detections Created Last: The duration of historical information that Recorded Future will pull based on the initial setup. The default range is 1 day; ranges longer than the previous 24 hours may cause delays in the setup process.
FAQ:
1. How to setup connector under a suborg in case of a Multiorg environment?
In order to setup a connector under a specific suborg, please switch as Enterprise admin to that particular suborg and create a connector following the same process mentioned here.
2. How to add connector to support multiple zones from my Cloudflare?
There needs to be one connector that needs to be created per zone in Cloudflare.
3. What permissions are needed while creating the custom access token in Cloudflare?
The following permissions are needed for the token in order to access required data sets in Cloudflare:
| Account | Account Analytics | Read |
| Zone | Logs | Read |
| Zone | Analytics | Read |
Known Limitations
Only 10,000 events can be pulled at a single time from the GraphQL API. Pagination is not possible. As a result, there’s a high risk our connector will miss events from Cloudflare. To mitigate this, we recommend choosing a short polling frequency (<=30mins) and using filters.
Happy Hunting !!