Skip to main content

Purpose

The Cloudflare integration enables AirMDR to authenticate with Cloudflare and access account- or zone-level configuration and security context required for alert enrichment, investigation, and workflow automation. Depending on the use case, AirMDR may use either a legacy Global API Key with the account email, or a scoped API Token with specific permissions. Cloudflare recommends using API tokens whenever possible because they are more secure and more narrowly scoped than Global API Keys.

Prerequisites

Ensure you meet these prerequisites before starting:
  • Access to a Cloudflare account with administrative privileges.
  • At least one domain (zone) added to your Cloudflare account.
  • Access to the required account and zone.
  • Permission to create:
    • API Tokens, or
    • Access legacy Global API Key
  • Secure storage for the generated credentials
ComponentSupported Version
Cloudflare DashboardSupported
Cloudflare APICurrent supported API
AirMDR PlatformCurrent supported cloud deployments

Authentication

Cloudflare supports two authentication methods for AirMDR integration:
  • Uses:
    • Cloudflare account email
    • Global API Key
    • Account ID
  • Provides full account-level access
  • Should only be used if API Token is not feasible
    Uses:
    • Cloudflare account email
    • Global API Key
    • Account ID
  • Provides full account-level access
  • Should only be used if API Token is not feasible

Required Parameters

ParameterAPI Token MethodGlobal API Key Method
Authentication Email❌ Not required✅ Required
Global API Key❌ Not required✅ Required
API Token✅ Required❌ Not required
Account ID✅ Required✅ Required
Zone ID✅ Required✅ Required
Use API Token method wherever possible for better security and control.

🔑 Cloudflare Integration Guide

This guide outlines the process of retrieving key credentials from your Cloudflare dashboard for integration with external tools and APIs. Method 1: Generate API Token (Recommended) Method 2: Generate Global API Key (Legacy)

Method 1 - Generate API Token Setup steps

To generate an API Token in the Cloudflare Platform for integrating with AirMDR, follow these steps:
1

Sign In to Cloudflare

  1. Go to Cloudflare dashboard.
  2. Enter your login credentials and sign in.
2

Create API Token

  1. Click your profile icon (top-right).
  2. Navigate to My Profile → API Tokens.
  3. Click Create Token.
  4. Choose
    • Predefined template
      (OR)
    • Custom Token
  5. Configure:
    • Token Name
    • Permissions (Zone / Account level)
    • Resources (specific zones or all zones)
  6. Click Continue to summary → Create Token
    Token will only be visible once

    Copy and securely save the secret API Token in your preferred password manager or secure storage solution.
3

Retrieve Cloudflare Account ID

  1. From the main dashboard, select any of your active domains.
  2. In the left-hand sidebar, scroll down and click Overview (if not already selected).
  3. In the right-side panel (under “API” section), locate your Account ID.
  4. Click Copy to save it.
4

Retrieve Cloudflare Zone ID (Optional)

  1. From the Overview tab of your selected domain (zone).
  2. Scroll down to the section titled API or Zone ID.
  3. Locate the Zone ID and click Copy.
    The Zone ID uniquely identifies your domain within Cloudflare.
    Email the API Token, Cloudflare Account ID and Cloudflare Zone ID to AirMDR
    or
    Self configure Cloudflare in the AirMDR Integrations Dashboard.

Method 2: Generate Global API Key (Legacy) Setup steps

To generate an Global API key in the Cloudflare Platform for integrating with AirMDR, follow these steps:
1

Sign In to Cloudflare

  1. Go to Cloudflare dashboard.
  2. Enter your login credentials and sign in.
2

Retrieve Your Authentication Email

Your authentication email is the email address you use to log into Cloudflare.

It will appear in the top-right corner of the dashboard once you’re logged in.This email is used along with your API key when authenticating API requests.
  1. Log in to the Cloudflare dashboard.
  2. Click your profile icon in the top-right corner.
  3. Open your profile settings.
  4. Note the email address associated with the account.
    Use only this value as the Authentication Email when AirMDR requires legacy Global API Key authentication
3

Retrieve the Global API Key (Authentication API Key)

  1. From the dashboard, click your profile icon in the top-right corner.
  2. Select My Profile → Go to the API Tokens tab.
  3. Under API Keys section, locate Global API Key and click View.
  4. Enter your password to confirm.
  5. Click Copy to store the key securely.
    The Global API Key grants full account access.
    Copy and securely save the secret API key in your preferred password manager or secure storage solution. Use the Global API Key only if your AirMDR integration specifically requires the legacy authentication model.
4

Retrieve Cloudflare Account ID

  1. From the main dashboard, select any of your active domains.
  2. In the left-hand sidebar, scroll down and click Overview (if not already selected).
  3. In the right-side panel (under “API” section), locate your Account ID.
  4. Click Copy to save it.
5

Retrieve Cloudflare Zone ID (Optional)

  1. From the Overview tab of your selected domain (zone).
  2. Scroll down to the section titled API or Zone ID.
  3. Locate the Zone ID and click Copy.
    The Zone ID uniquely identifies your domain within Cloudflare.
    Email the Global API key, Authentication Email, Cloudflare Account ID, and Cloudflare Zone ID to AirMDR
    or
    Self configure Cloudflare in the AirMDR Integrations Dashboard.
CredentialPath
API TokenMy Profile → API Tokens → Create Token
Global API KeyMy Profile → API Tokens → API Keys
Account IDAccount Home → Overview
Zone IDZone → Overview
You can integrate Cloudflare with AirMDR using:Recommended:
  • API Token + Account ID + Zone ID
Alternative:
  • Email + Global API Key + Account ID + Zone ID
CredentialDescription
API TokenUsed to authenticate API requests
Authentication EmailYour Cloudflare login email
Global API KeyUsed to authenticate API requests
Account IDUnique ID for your Cloudflare account
Zone ID (Optional Requirement only)Unique ID for each domain (zone) added to Cloudflare
  • Store credentials in environment variables or secrets managers.
  • Rotate Global API keys/API tokens regularly and revoke unused tokens immediately.
  • Support
    • For Cloudflare account and API token issues, refer to Cloudflare API and account documentation. For AirMDR integration issues, contact AirMDR Support.
ErrorCauseResolution
Invalid API KeyIncorrect Global API KeyRecheck the Global API Key in My Profile
Invalid Authentication EmailWrong Cloudflare account emailConfirm the login email used in Cloudflare
Invalid API TokenToken expired, revoked, or missing scopeRecreate the token with the correct permissions
Account ID not foundWrong account selectedVerify the account from Account Home or Workers & Pages
Zone ID not foundWrong zone selectedVerify the zone from the Overview page
Permission deniedToken lacks required permissionsUpdate token scopes and retry

Sample cURL Requests to Test Cloudflare Authentication - with GLOBAL_API_KEY


curl -X GET "https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/audit_logs?per_page=1" \
  -H "X-Auth-Key: {API_KEY}" \
  -H "X-Auth-Email: {AUTH_EMAIL}" \
  -H "Content-Type: application/json"
  • YOUR_ACCOUNT_ID with your actual Cloudflare Account ID
  • YOUR_EMAIL@example.com with your Cloudflare account email
  • YOUR_GLOBAL_API_KEY with your Global API Key.

{
    "result": [
        {
            "action": {
                "result": true,
                "type": "login"
            },
            "actor": {
                "email": "example.sample@yourcompany.com",
                "id": "5b1513f96649e65............",
                "ip": "46.49.44.187",
                "type": "user"
            },
            "id": "f9276d3e-c9aa-5edd-9e61-.........",
            "interface": "",
            "metadata": {},
            "newValue": "",
            "newValueJson": {},
            "oldValue": "",
            "oldValueJson": {},
            "owner": {
                "id": "5b1513f96649e6............."
            },
            "resource": {
                "id": "5b1513f96649e..........",
                "type": "account"
            },
            "when": "2026-03-24T10:15:06Z"
        }
    ],
    "success": true,
    "errors": [],
    "messages": []
}

Sample cURL Requests to Test Cloudflare Authentication - with API_TOKEN

curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
  -H "Authorization: Bearer {API_TOKEN}" \
  -H "Content-Type: application/json"
  • YOUR_API_TOKEN with your actual Cloudflare API Token
{
    "result": {
        "id": "a49de11a..................b",
        "status": "active"
    },
    "success": true,
    "errors": [],
    "messages": [
        {
            "code": 10000,
            "message": "This API Token is valid and active",
            "type": null
        }
    ]
}

Skills Provided by this Integration

To ensure proper functionality of Cloudflare integrations in AirMDR, configure permissions based on the Skills you intend to use.
Grant only the minimum required permissions based on the enabled Skills.
Skill NameAccess TypePermissions Required
Cloudflare Get Account Audit Logs for DetectionsReadAudit Logs (Account: Read), Account Settings (Account: Read)
Get Cloudflare Audit LogsReadAudit Logs (Account: Read)
Get Cloudflare Security Center InsightsReadSecurity Insights (Account: Read), Zone WAF (Zone: Read)
List Cloudflare Access ApplicationsReadAccess: Apps and Policies (Account: Read), Zone (Zone: Read)
Get Cloudflare Zone DetailsReadZone (Zone: Read), Zone Settings (Zone: Read)
Create Cloudflare Ruleset RuleRead + WriteAccount Rulesets (Account: Edit), Zone WAF (Zone: Edit)

Summary

Access TypeScope
ReadAudit Logs, Security Insights, Access Applications, Zone Data
Read + WriteRuleset creation and WAF modifications
Skill IDPurpose
Get Cloudflare Security Center InsightsFetches security insights from Cloudflare Security Center for accounts or zones.
Get Cloudflare Audit LogsFetches audit logs from Cloudflare accounts showing changes and activities.
Cloudflare Get Account Audit Logs for DetectionsThis skill retrieves audit logs from Cloudflare for detection purposes. It supports filtering by actor email/IP, time ranges, zones, and pagination to identify security-related activities and configuration changes.
List Cloudflare Access ApplicationsLists Cloudflare Access applications for accounts or zones with rich filters.
Get Cloudflare Zone DetailsGets Cloudflare zones with optional filters or a specific zone by ID.
Create Cloudflare Ruleset RuleCreates a new rule within a Cloudflare ruleset for accounts or zones.
To view the details of Input Parameters and Output for the respective skills
  • Go to AirMDR → Cloudflare Integration page.
  • Select the Skills tab and click on the required listed skills.

Configure Cloudflare in the AirMDR Integrations Dashboard

  1. Navigate to AirMDR, provide the credentials, and click Login
  2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
  3. Use the search option, enter the keyword “Cloudflare”, select the Connections tab, and click Add New Connection.
  4. Enter an unique name to the Instance (e.g., your org name-Cloudflare) and brief Description to easily identify the user connection by AirMDR.
  5. Enter the generated Authentication API Key (Global API Key), and retrieved Authentication Email, Cloudflare Account ID, Cloudflare Zone ID and Expiry (optional) in the Authentication Details field params, and click Save.