Cloudflare Docs

Cloud Email Security (formerly Area 1)

Cloudflare Docs

Cloud Email Security (formerly Area 1)

Overview
Setup
Inline
Setup
Office 365 - Cloud Email Security (formerly Area 1) as MX Record
Use cases
1 - Junk email and Cloud Email Security (formerly Area 1) Admin Quarantine
2 - Junk email and user managed quarantine
3 - Junk email and administrative quarantine
4 - User managed quarantine and administrative quarantine
5 - Junk email folder and administrative quarantine
Google Workspace - Cloud Email Security (formerly Area 1) as MX Record
Cisco - Cloud Email Security (formerly Area 1) as MX Record
Cisco - Cisco as MX record
Reference
Egress IPs
API
Setup
Gmail BCC setup
Exchange BCC setup
Office 365 journaling setup
Office 365 Graph API setup
Email Retro Scan
Account setup
Manage account members
Escalation contacts
Manage parent permissions
SSO integration
Generic SSO guide
Okta guide
Azure guide
Cloudflare Access for SaaS
Permissions
Connect a Cloudflare account
Email configuration
Domains and routing
Domains
Alert Webhooks
Partner Domains TLS
Email policies
Text add-ons
Link actions
Allow and block lists
Allowed patterns
Trusted domains
Block lists
Enhanced detections
Business email compromise (BEC)
Office 365 directory integration
Google Workspaces directory integration
Added Detections
Retract settings
Gmail retraction
Office 365 retraction
Phish submissions
KnowBe4
Microsoft Report Message (not compatible)
PhishNet for Google Workspace
PhishNet for Office 365
Admin Quarantine
Reporting
Search
Available parameters
Phish reports
SIEM integration
KnowBe4
LogScale
Splunk
Sumo Logic
Audit Logs
Statistics overview
Types of malicious detections
API
Service accounts
Channel and Alliance Partners
Reference
How we detect phish
Dispositions and attributes
Timestamps
MS Office 365 GCC
Cloudflare SSO
Language support
Glossary

KnowBe4

When Cloud Email Security detects a phishing email, the metadata of the detection can be sent directly to KnowBe4. For this tutorial, you will need a working KnowBe4 account with the SecurityCoach add-on. You will also need to create an organization key to use in Cloud Email Security. This organization key will let you integrate KnowBe4 with Cloud Email Security. Refer to KnowBe4 documentation for more information on this subject.

After creating your organization key and authorizing Cloud Email Security:

Log in to the Cloud Email Security dashboard.
Go to Settings (the gear icon).
Go to Email Configuration > Domains & Routing > Alert Webhooks.
Select New Webhook.
In App Type, select SIEM.
Choose KnowBe4 from the dropdown, and paste your organization key into the Auth Code section.

In Target, paste the URL that suits your organization. KnowBe4 has different URLs for different regions:

KnowBe4 instance	URL
United States	`https://area1.vendor.training.knowbe4.com/v1`
European Union	`https://area1.vendor.eu.knowbe4.com/v1`
Canada	`https://area1.vendor.ca.knowbe4.com/v1`
United Kingdom	`https://area1.vendor.uk.knowbe4.com/v1`
Germany	`https://area1.vendor.da.knowbe4.com/v1`

Select Expanded from the drop-down menu for Malicious Style, Suspicious Style, and Spoof Style.
Select Publish Webhook.