Cloudflare Intel

Enrichment Threat Intelligence

Synopsis

Enriches events by retrieving intelligence information from Cloudflare's API for domains, IP addresses, WHOIS records, and Autonomous System Numbers.

Schema

cloudflare:
  - field: <ident>
  - api_token: <string>
  - account_id: <string>
  - query_type: <enum>
  - target_field: <ident>
  - description: <text>
  - if: <script>
  - ignore_failure: <boolean>
  - ignore_missing: <boolean>
  - on_failure: <processor[]>
  - on_success: <processor[]>
  - tag: <string>

Configuration

Field	Required	Default	Description
field	N	"domain"	Field containing query value
api_token	Y	-	Cloudflare API token
account_id	Y	-	Cloudflare Account ID
query_type	N	"whois"	Intelligence query type. Options: whois, ip, asn, domain
target_field	N	field	Field to store API response
description	N	-	Explanatory note
if	N	-	Condition to run
ignore_failure	N	false	Continue if API call fails
ignore_missing	N	false	Continue if source field doesn't exist
on_failure	N	-	See Handling Failures
on_success	N	-	See Handling Success
tag	N	-	Identifier

Details

The processor is useful for threat intelligence, network analysis, and contextual enrichment. It uses Cloudflare's Intelligence API to retrieve detailed information about domains, IP addresses, WHOIS records, and Autonomous System Numbers (ASNs) to provide detailed network information.

caution

Be aware of Cloudflare API rate limits.

Bear in mind, however, that private or local IP addresses may have limited intelligence, and ASN lookup accuracy depends on Cloudflare's database.

tip

API calls may add latency to event processing, so Cloudflare API keys are cached for performance.

Available query types:

asn	Retrieve Autonomous System Number details
domain	Retrieve domain-related intelligence
ip	Get intelligence information for IPv4 and IPv6 addresses
whois	Retrieve domain registration details

Support for error handling, environment variables, and conditionals are also available.

warning

API tokens must be managed securely. Also, ensure proper account access and permissions.

Examples

Basic

Retrieving WHOIS information...

{ "domain": "cloudflare.com" } cloudflare: - field: domain - api_token: "${CLOUDFLARE_API_TOKEN}" - account_id: "${CLOUDFLARE_ACCOUNT_ID}" - query_type: whois

adds detailed domain registration details:

{ "domain": "cloudflare.com", "domain": { "created_date": "2009-02-17T22:07:54.000Z", "created_date_raw": "2009-02-17T22:07:54Z", "dnssec": true, "domain": "cloudflare.com", "expiration_date": "2033-02-17T22:07:54.000Z", "expiration_date_raw": "2033-02-17T22:07:54Z", "extension": "com", "found": true, "id": "1542998887_DOMAIN_COM-VRSN", "name": "cloudflare.com", "nameservers": [ "ns3.cloudflare.com", "ns4.cloudflare.com", "ns5.cloudflare.com", "ns6.cloudflare.com", "ns7.cloudflare.com" ], "punycode": "cloudflare.com", "registrant": "", "registrar": "Cloudflare, Inc.", "registrar_email": "abuseteam@cloudflare.com", "registrar_name": "Cloudflare, Inc.", "registrar_phone": "+1.6503198930", "registrar_referral_url": "http://www.cloudflare.com", "status": [ "clientdeleteprohibited", "clienttransferprohibited", "clientupdateprohibited", "serverdeleteprohibited", "servertransferprohibited", "serverupdateprohibited" ], "updated_date": "2024-01-09T16:45:28.000Z", "updated_date_raw": "2024-01-09T16:45:28Z", "whois_server": "whois.cloudflare.com" } }

IPs

Retrieving intelligence for an IP address...	{ "source_ip": "1.1.1.1" } cloudflare: - field: source_ip - target_field: ip_intel - api_token: "${CLOUDFLARE_API_TOKEN}" - account_id: "${CLOUDFLARE_ACCOUNT_ID}" - query_type: ip
provides detailed IP intelligence:	{ "source_ip": "1.1.1.1", "ip_intel": { "ip": { "belongs_to_ref": { "country": "US", "description": "CLOUDFLARENET", "id": "autonomous-system--2fa28d71-3549-5a38-af05-770b79ad6ea8", "type": "isp", "value": 13335 }, "iana_reservations": [], "ip": "1.1.1.1", "ip_lists": null, "ptr_lookup": { "ptr_domains": [ "one.one.one.one." ], "ptr_lookup_errors": "" } } } }

ASNs

Retrieving Autonomous System Number details...	{ "asn": "13335" } cloudflare: - field: asn - target_field: asn_intel - api_token: "${CLOUDFLARE_API_TOKEN}" - account_id: "${CLOUDFLARE_ACCOUNT_ID}" - query_type: asn
provides network-related information:	{ "asn": "13335", "asn_intel": { "organization": "Cloudflare, Inc.", "country": "US", "network_range": "1.1.1.0/24", "type": "Content Delivery Network" } }

Conditionals

Performing lookup only for high-threat domains...

{ "domain": "suspicious-domain.com", "threat_level": "high" } cloudflare: - field: domain - if: "ctx.threat_level == 'high'" - target_field: domain_threat_intel - api_token: "${CLOUDFLARE_API_TOKEN}" - account_id: "${CLOUDFLARE_ACCOUNT_ID}" - query_type: domain

retrieves only the relevant information:

{ "domain": "suspicious-domain.com", "threat_level": "high", "domain_threat_intel": { "domain": { "created_date": "2025-01-17T00:00:00.000Z", "created_date_raw": "2025-01-17", "dnssec": false, "domain": "suspicious-domain.com", "expiration_date": "2026-01-16T00:00:00.000Z", "expiration_date_raw": "2026-01-16", "extension": "com", "found": true, "name": "suspicious-domain.com", "nameservers": [ "ns01.one.com", "ns02.one.com" ], "punycode": "suspicious-domain.com", "registrant": "", "registrar": "", "status": [ "active" ] }, "level": "high" } }

Error Handling

Anticipating lookup failures...	{ "investigate_ip": "192.168.1.1" } cloudflare: - field: investigate_ip - ignore_missing: true - ignore_failure: true - api_token: "${CLOUDFLARE_API_TOKEN}" - account_id: "${CLOUDFLARE_ACCOUNT_ID}" - on_failure: - set: field: lookup_status value: "intelligence_lookup_failed"
deals with errors gracefully:	{ "investigate_ip": "192.168.1.1", "lookup_status": "intelligence_lookup_failed" }