Data Integration Guide - Cloudflare
Overview
The Cloudflare integration connects Unify with Cloudflare’s web and access security data, enabling visibility into user activity and policy enforcement events from Cloudflare within Unify. It ingests DNS, access, and security event logs enriched with user identity, policy, and category metadata, allowing these events to be correlated with other data sources and used to trigger automated workflows.
The Cloudflare integration connects to Cloudflare R2 object storage (S3-compatible) to retrieve DNS events and email security events.
Prerequisites
- Cloudflare account with R2 storage enabled
- R2 bucket containing DNS or email security event data
- Authentication credentials (IAM User access keys OR IAM Role ARN)
Required Configuration Parameters
Core Parameters (All Clients)
|
Parameter Name |
Required |
Description |
Format / Example / Notes |
|---|---|---|---|
|
account_id |
Yes |
Your Cloudflare account ID |
Used to construct the R2 endpoint URL: https://{account_id}.r2.cloudflarestorage.com Example: `688853243e5da8fe329803c434792976` |
|
bucket_name |
Yes |
Name of the R2 bucket containing event data |
Example: cloudflare-dns-logs or cloudflare-email-security |
|
target_account_id |
Yes |
AWS-compatible account ID for the R2 bucket |
Typically the same as account_id |
Authentication Configuration
Choose ONE of two authentication strategies:
Option 1: IAM User Authentication (Recommended for R2)
authentication_strategy: IAM_USER
Parameter Name |
Required |
Description |
How to Obtain |
|---|---|---|---|
|
target_iam_user_aws_access_key |
Yes |
R2 access key ID |
Obtain from Cloudflare R2 dashboard under “Manage R2 API Tokens” |
|
target_iam_user_aws_secret_key |
Yes |
R2 secret access key |
Obtain from Cloudflare R2 dashboard when creating the API token |
|
target_region |
No |
R2 region (default: auto) |
R2 uses automatic region selection by default |
Option 2: IAM Role Authentication
authentication_strategy: IAM_ROLE
|
Parameter Name |
Required |
Description |
Format / Example / Notes |
|---|---|---|---|
|
target_role_arn |
Yes |
ARN of the IAM role to assume |
Format: arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME |
|
target_session_name |
Yes |
Session name for the assumed role |
Example: CloudflareR2Session |
|
target_role_external_id |
No |
External ID for role assumption (if required) |
Provide only if your AWS policy enforces use of an external ID |
|
assume_internal_role |
No |
Whether to assume an internal cross-account role first |
Default: true |
Optional Parameters
Parameter Name |
Required |
Description |
Format / Example / Notes |
|---|---|---|---|
endpoint_url |
No |
Custom R2 endpoint URL |
Default: https://{account_id}.r2.cloudflarestorage.comOnly needed if using a custom endpoint |
region |
No |
R2 region |
Default: auto — typically left as "auto" for automatic region selection |
Client-Specific Configuration
Cloudflare DNS Client
Automatically filters DNS events for the following category IDs:
|
Cloudflare Content Code |
Description |
|---|---|
|
184 |
AI |
|
21 |
Security Threats |
|
32 |
Security Risks |
|
8 |
Gambling |
|
125, 133 |
Adult Content |
|
12 |
P2P |
|
95 |
File Sharing |
|
157 |
Hate/Extremism |
|
29 |
Violence |
|
31 |
Child Abuse |
Cloudflare Email Security Client
Automatically filters email security events for the following dispositions:
MALICIOUS
SPAM
SUSPICIOUS
SPOOF
BULK
Setup Steps
- Create R2 Bucket in Cloudflare
- Log into Cloudflare dashboard
- Navigate to R2 Object Storage
- Create a new bucket for DNS or email security logs
- Generate R2 API Token
- In R2 dashboard, click "Manage R2 API Tokens"
- Create new API token with read permissions for your bucket
- Save the new Access Key ID and Secret Access Key
- Configure Data Export to R2
- Set up Cloudflare Logpush to export DNS logs or email security logs to your R2 bucket
- Configure export format as JSON records with GZIP compression
- Set appropriate prefix for organization (e.g., dns-logs/ or email-security/)
- Configure Integration in Unify
- Select appropriate client type (cloudflare_dns_client or cloudflare_email_security_client)
- Enter your Cloudflare account ID
- Enter R2 bucket name
- Provide R2 API credentials (access key and secret key from 2c above)
- Configure stream options (prefix, format, compression)
- Test Connection
- Run a test extraction to verify connectivity
- Verify events are being retrieved and filtered correctly
- Check that insights are being generated from the events
Troubleshooting
Connection Errors:
- Verify account_id is correct
- Ensure R2 API token has read permissions for the bucket
- Check that bucket_name matches exactly
No Events Retrieved:
- Verify objects exist in the bucket with the specified prefix
- Check object format matches configuration (JSON_RECORDS, GZIP)
- Ensure Logpush is configured and actively exporting data
Events Not Filtered:
- For DNS: Verify CategoryIDs field exists in data
- For Email Security: Verify final_disposition field exists in data
- Check that data format matches expected schema
API Documentation
- Cloudflare R2 API: https://developers.cloudflare.com/r2/api/s3/
- R2 is S3-compatible, so standard S3 operations apply
