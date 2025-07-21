To configure a QRadar/Cloudflare integration you have the option to use one of the following methods:

HTTP Receiver Protocol

To send Cloudflare logs to QRadar you need to create a Logpush job to HTTP endpoints via API. Below you can find two curl examples of how to send Cloudflare Firewall events and Cloudflare HTTP events to QRadar.

Cloudflare Firewall events

Required API token permissions At least one of the following token permissions is required: Logs Write

Create Logpush job curl "https://api.cloudflare.com/client/v4/zones/ $ZONE_ID /logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "name": "<NAME>", "output_options": { "field_names": [ "Action", "ClientIP", "ClientASN", "ClientASNDescription", "ClientCountry", "ClientIPClass", "ClientRefererHost", "ClientRefererPath", "ClientRefererQuery", "ClientRefererScheme", "ClientRequestHost", "ClientRequestMethod", "ClientRequestPath", "ClientRequestProtocol", "ClientRequestQuery", "ClientRequestScheme", "ClientRequestUserAgent", "EdgeColoCode", "EdgeResponseStatus", "Kind", "MatchIndex", "Metadata", "OriginResponseStatus", "OriginatorRayID", "RayID", "RuleID", "Source", "Datetime" ], "timestamp_format": "rfc3339" }, "destination_conf": "<QRADAR_URL>:<LOG_SOURCE_PORT>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "firewall_events", "enabled": true }'

Cloudflare HTTP events

Required API token permissions At least one of the following token permissions is required: Logs Write

Create Logpush job curl "https://api.cloudflare.com/client/v4/zones/ $ZONE_ID /logpush/jobs" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --json '{ "name": "<NAME>", "output_options": { "field_names": [ "ClientRequestMethod", "EdgeResponseStatus", "ClientIP", "ClientSrcPort", "CacheCacheStatus", "ClientCountry", "ClientDeviceType", "ClientIPClass", "ClientMTLSAuthCertFingerprint", "ClientMTLSAuthStatus", "ClientRegionCode", "ClientRequestBytes", "ClientRequestHost", "ClientRequestPath", "ClientRequestProtocol", "ClientRequestReferer", "ClientRequestScheme", "ClientRequestSource", "ClientRequestURI", "ClientRequestUserAgent", "ClientSSLCipher", "ClientSSLProtocol", "ClientXRequestedWith", "EdgeEndTimestamp", "EdgeRequestHost", "EdgeResponseBodyBytes", "EdgeResponseBytes", "EdgeServerIP", "EdgeStartTimestamp", "SecurityActions", "SecurityRuleIDs", "SecuritySources", "OriginIP", "OriginResponseStatus", "OriginSSLProtocol", "ParentRayID", "RayID", "SecurityAction", "WAFAttackScore", "SecurityRuleID", "SecurityRuleDescription", "WAFSQLiAttackScore", "WAFXSSAttackScore", "EdgeStartTimestamp" ], "timestamp_format": "rfc3339" }, "destination_conf": "<QRADAR_URL>:<LOG_SOURCE_PORT>", "max_upload_bytes": 5000000, "max_upload_records": 1000, "dataset": "http_requests", "enabled": true }'

Cloudflare checks the accessibility of the IP address, port, and validates the certificate of the HTTP Receive log source. If all parameters are valid, a Logpush is created, and starts to send events to HTTP Receiver log source.

Amazon AWS S3 Rest API

When you use the Amazon S3 REST API protocol, IBM QRadar collects Cloudflare Log events from an Amazon S3 bucket. To use this option, you need to: