Cloudflare One™ Custom Response Integration
The integration described in this guide specifically utilizes Cloudflare One Zero Trust to secure infrastructure through identity verification and access controls by filtering outbound traffic.
This article shows how to leverage the Lumu Defender API and Cloudflare One™ via Cyber Controller API to mitigate security risks by leveraging the Zero Trust Reusable List feature.
Response integration between Cloudflare One and Lumu
Requirements
- A Cloudflare One user with Super Administrator permission.
- The user will be used to prepare the Cloudflare environment for the integration.
- Lumu Defender API key
- To retrieve an API token, please refer to the Defender API document.
- A Docker-enabled host.
- This host will be used to deploy the integration component. must have Internet visibility over the Lumu Defender API endpoints and the Cloudflare One.
- Component and Script package
- Contact the Lumu support team to request for indication or visit the documentation component in our DockerHub site.
Contacted hosts
- Cloudflare One Web Instance
- defender.lumu.io
- docker.io
Integration’s overview
Lumu Custom Response integration with Cloudflare One uses its API to manage the Reusable Lists by managing IPs, domains and URLs related to Lumu detections. These Zero Trust Reusable Lists can be referenced in Gateway policies or Access policies within your Cloudflare One deployment to automate response actions among devices potentially affected by adversaries detected by Lumu.
Preliminary Setup - Cloudflare One
From the Account Home screen, use the left-hand menu to go to Manage account and select Account API Token.
This integration follows the Cloudflare recommendation of using Account API Tokens. Find more information about Cloudflare standards in their official documentation.
Assign a name to your integration token. Within the Permission policies section, look for the Cloudflare One/Zero Trust permissions. Then, select the Read and Edit permissions. You may also set a token expiration and restrict access by specifying allowed client IPs to enhance security if needed.
A popup window displaying your account ID and the generated token will appear. Ensure you copy the Account ID and the API token, as they are required to complete the integration process.
Avoid the reuse of credentials across multiple instances. This is critical for congruency, stability, and proper auditing of the integration.
Preliminary setup - Lumu portal
You must collect the following information from the Lumu portal:
- Lumu Defender API key.
- Company UUID.
Follow the steps in the sections below to collect this.
Collect the Lumu Defender API key
To collect the Lumu Defender API key, please refer to the Defender API document.
Collect your Lumu company UUID
To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.
Preliminary Setup - Docker-enabled host
Follow the steps below if your integration host does not have Docker installed. You must follow the Docker installation documentation that corresponds to your OS. Ensure you follow the Post-installation steps for Linux before deploying the integration.
For Windows users, follow the Install Docker Desktop for Windows documentation to install the Docker Engine.
Deploy the integration
Set up the Management Script
Lumu prepared a short snippet that allows you to manage your integration. Create a file named manage.sh in your integration host. Copy and paste the following code.
#!/usr/bin/env bash
RED='\033[0;31m'
GREEN='\033[0;32m'
CYAN='\033[0;36m'
YELLOW='\033[1;33m'
BOLD='\033[1m'
RESET='\033[0m'
info() { echo -e "${CYAN}[INFO]${RESET} $*"; }
success() { echo -e "${GREEN}[OK]${RESET} $*"; }
warn() { echo -e "${YELLOW}[WARN]${RESET} $*"; }
error() { echo -e "${RED}[ERROR]${RESET} $*" >&2; }
prompt() { echo -e "${BOLD}${YELLOW}$*${RESET}"; }
IMG=lumutools/cloudflare-one-threat-feeder:latest
INTEGRATION_NAME=lumu-cloudflare-one-response
INTEGRATION_NAME_IOC=lumu-cloudflare-one-response-ioc
INTEGRATION_DIR=${HOME}/CloudflareOneResponse
VOLUME_DATA=${INTEGRATION_DIR}/data:/app/data
VOLUME_CONFIG=${INTEGRATION_DIR}/data/.config.toml:/app/.config.toml:ro
VOLUME_IOC=${INTEGRATION_DIR}/data/ioc.db:/app/data/ioc.db:ro
mkdir -p "${INTEGRATION_DIR}/data"
chmod -R o+w "${INTEGRATION_DIR}/data" > /dev/null 2>&1
run_config() {
info "Running configuration script ..."
if docker run --rm -it -v "${INTEGRATION_DIR}/data:/app/data" "${IMG}" bash run_config; then
success "Configuration completed."
else
error "Configuration script failed."; return 1
fi
}
start_integration() {
info "Setting up IOC integration '${INTEGRATION_NAME_IOC}' ..."
if [[ ! -f "${INTEGRATION_DIR}/data/.config.toml" ]]; then
error "Please configure the integration first."; return 1
fi
if ! docker container inspect "${INTEGRATION_NAME_IOC}" &>/dev/null; then
info "Integration '${INTEGRATION_NAME_IOC}' does not exist. Creating it ..."
if ! docker create \
-v "${VOLUME_DATA}" \
-v "${VOLUME_CONFIG}" \
--restart unless-stopped \
--log-driver json-file \
--log-opt max-size=30m \
--log-opt max-file=3 \
--name "${INTEGRATION_NAME_IOC}" \
"${IMG}" bash run_ioc; then
error "Failed to create IOC integration."
return 1
fi
else
warn "Integration '${INTEGRATION_NAME_IOC}' already exists. Skipping its creation."
fi
if docker start "${INTEGRATION_NAME_IOC}"; then
success "IOC integration started."; sleep 5
else
error "Failed to start IOC integration."; return 1
fi
info "Setting up main integration '${INTEGRATION_NAME}' ..."
if ! docker container inspect "${INTEGRATION_NAME}" &>/dev/null; then
info "Integration '${INTEGRATION_NAME}' does not exist. Creating ..."
if ! docker create \
-v "${VOLUME_DATA}" \
-v "${VOLUME_CONFIG}" \
-v "${VOLUME_IOC}" \
--restart unless-stopped \
--log-driver json-file \
--log-opt max-size=30m \
--log-opt max-file=3 \
--name "${INTEGRATION_NAME}" \
"${IMG}" bash run_component; then
error "Failed to create main integration."; return 1
fi
else
warn "Integration '${INTEGRATION_NAME}' already exists. Skipping create."
fi
if docker start "${INTEGRATION_NAME}"; then
success "Main integration started."
else
error "Failed to start main integration."; return 1
fi
}
check_status() {
info "Checking status of integrations ..."
if [[ ! -f "${INTEGRATION_DIR}/data/.status.ndjson" ]]; then
error "Status check failed. Verify if your integration has been deployed."; return 1
fi
if docker run --rm -it -v "${VOLUME_DATA}":ro "${IMG}" bash run_status; then
success "Status check completed."
else
error "Status check failed."; return 1
fi
}
show_logs() {
echo ""
prompt "Select which logs to view:"
echo -e " ${CYAN}1${RESET}) IOC integration (${INTEGRATION_NAME_IOC})"
echo -e " ${CYAN}2${RESET}) Main integration (${INTEGRATION_NAME})"
echo ""
read -rp "$(prompt 'Enter option [1/2]: ')" choice
case "${choice}" in
1)
info "Showing logs for '${INTEGRATION_NAME_IOC}' ..."
docker logs --tail 100 -f "${INTEGRATION_NAME_IOC}"
;;
2)
info "Showing logs for '${INTEGRATION_NAME}' ..."
docker logs --tail 100 -f "${INTEGRATION_NAME}"
;;
*)
error "Invalid option '${choice}'."
return 1
;;
esac
}
usage() {
echo ""
prompt " CLOUDFLARE ONE RESPONSE INTEGRATION MANAGEMENT"
echo -e " ${BOLD}Usage:${RESET} $0 "
echo ""
echo -e " ${CYAN}config${RESET} Run configuration"
echo -e " ${CYAN}start${RESET} Start integration"
echo -e " ${CYAN}status${RESET} Check integration status"
echo -e " ${CYAN}logs${RESET} Show integration logs"
echo ""
}
case "${1}" in
config) run_config ;;
start) start_integration ;;
status) check_status ;;
logs) show_logs ;;
*) usage
[[ -n "${1}" ]] && error "Unknown command '${1}'."
exit 1 ;;
esac
Using the Management Script
With the management script, you can:
- Configure the integration.
- Start the integration.
- Check the status of the integration.
- Check the audit logs of the integration.
You can check these options by running the following command:
When running the configuration options, a wizard will guide you through a series of prompts. If the provided credentials are correct, the wizard will confirm this. If the credentials fail, you will receive an error message and have the option to re-enter the credentials or proceed despite the error.
Set up the configuration parameters
Execute the following command and type in all parameters gathered during the Preliminary Setup - Cloudflare One step. Fix any errors in your inputs if prompted.
We strongly recommend correcting any credential errors before attempting to start the integration using the start command.
You must fill in the configuration data carefully. If there are any mistakes or missing data, you’ll receive errors during the deployment and run time of the integration.
Run the Integration
Run the integration by running this command:
If you have run this process before, you may receive warning messages about the existence of components. To ensure you have the latest version of the integration, we recommend removing the existing integration containers before entering the start option.
Check the integration status
The integration is now active. Run the following command to check its current status
For additional debugging or information, you can execute the relevant Docker commands detailed in the troubleshooting section of this document.
Monitor the console output for any unexpected errors. If there are any errors present, fix them and run the command again. Check the Troubleshooting section for further reference.
Show Logs
The logs option allows you to view the integration's logs. You will be prompted to choose between viewing the IOC logs or the main component logs; follow the guided steps.
Option 1: IOC integration
Option 2: The integration component
Expected results
After the integration runs, any Indicators of Compromise (IoC) present in your instance will be visible in the Reusable Lists created by the integration. To verify the uploaded IOCs, log in to your Cloudflare One instance and navigate to the configuration menu. Select the Protect & Connect left menu. Then, go to the Zero Trust > Reusable components > Lists menu. You will find new entries named as the configured integration name ending in -LumuIOCs.
By selecting the specific list and clicking the edit option, you can access and review the currently active Lumu indicators.
Cloudflare limits up to 1000 entries for each Reusable List. Any number exceeding this threshold will be disregarded, and the integration will adhere strictly to this maximum. Lumu guarantees that the 1000 entries allowed are always filled with the most recent and active IoCs.
Further steps.
With Cloudflare One, you can create lists of URLs, hostnames, or other entries to reference when creating Gateway policies or Access policies. This allows you to quickly create rules that match and take actions against several items at once. You can apply the Reusable List created for this integration within your Firewall or Gateway traffic policies.
Additionally, the Reusable IP list is available for inclusion as a selector within Access control policies.
Troubleshooting
You can use the management snippet for general troubleshooting. Here, you will find additional commands to run additional diagnostics if they are needed.
- Stopping the integration Run the following command if you need to stop the integration.docker stop lumu-cloudflare-one-response
docker stop lumu-cloudflare-one-response-ioc - Starting the integration Run the following command to start the integration.docker start lumu-cloudflare-one-response
docker start lumu-cloudflare-one-response-ioc
Known issues
In this section, we collect all the potential issues you will find after you run the troubleshooting commands from the above section.
Docker permission execution
If you got some error building the integration related to docker: permission denied while trying to connect to the Docker daemon socket, there is an official documentation post installation to fix this issue, visit the official documentation.
Network Connection Problems
Logs indicating a connection problem will often contain keywords such as timeout or connection error. These terms are suggestive of an underlying network issue, which should prompt a check of the network and internet status.
Get an AI Summary
Related Articles
Zero Networks Custom Data Collection Integration
Learn how to enhance the detection & response capabilities of your organization by integrating Zero Networks with Lumu’s data collection capabilities to pull, transform and inject the activity network logs recorded by Zero Networks into Lumu. ...Zero Networks Custom Response Integration
Learn how to leverage the Lumu Defender API and the Zero Network Segmentation API to proactively reduce your organization's exposure to threats and strengthen security. Response integration between Zero Networks and Lumu Requirements An active Zero ...Cloudflare - S3 Compatible Storage Custom Data Collection Integration
In this article, you will find out how to configure your Cloudflare Enterprise subscription and the Lumu Custom Data Collection integration to pull, transform, and inject the DNS Gateway logs recorded by Cloudflare into Lumu to enhance the detection ...Akamai SIA Custom Response Integration
This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...Trend Vision One Out-of-the-Box Response Integration
Requirements Trend Vision One: Make sure you read the Suspicious Object Management article on the Trend Vision One documentation thoroughly to ensure a smooth process. Lumu License An active Lumu Defender subscription Configure Trend Vision One Trend ...