TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: HTTP Event Collector (HEC)
ENVIRONMENT: Cloudflare
SUMMARY: Configuration Guide for Keeper Security
Vendor Information
| Vendor | Cloudflare |
|---|---|
| Supported Model Name/Number | N/A |
| Supported Software Version(s) | N/A |
| Collection Method | HTTP Event Collector |
| Provider Name | Cloudflare |
| Additional Information | https://developers.cloudflare.com/logs/get-started/enable-destinations/splunk/ |
Configuration Checklist
Part 1 - Authentication Token Creation within Huntress Dashboard
- Open the Huntress Portal.
- Hover over SIEM on the left navigation menu.
- Click Source Management.
- Click Add Source and select Cloudflare.
- Click add.
- Set Configuration Details and Save:
- Select the appropriate Organization from the dropdown.
- Enter a unique name of the source.
- (Optional) Enter a description for the source.
- Record the HTTP Event Collector Token.
Note: Keep this secure as it is the equivalent of a password
Part 2 - Setting up Logpush within Cloudflare
- Log in to Cloudflare using admin credentials.
- Head to Logs section (Analytics & Logs > Logpush OR Search Logpush).
- Create a Logpush Job.
- Select ‘Splunk’ as the Destination.
- Enter in the information from the Huntress created source:
- Splunk raw HTTP Event Collector URL: Add ‘/raw’ add to the end if it’s not there already.
- Channel ID: Create a random GUID using a tool like guidgenerator.com.
- Auth Token: Add ‘Splunk ’ to the beginning as shown (note the space between Splunk and the token).
- Source type: Use cloudflare:json for ease.
- Select the datasets you are interested in pushing to Huntress, we would suggest Access Requests and Audit Logs at minimum.
- Leave everything else as standard and save the Logpush configuration.