AlienVault® USM Anywhere™

Launching a Cloudflare Response Action

Role Availability Read-Only Analyst   Manager

After USM Anywhere identifies Cloudflare events and alarms, you determine which Cloudflare activities are suspicious and should be investigated, and use the Cloudflare workflow to notify the investigator. For example, if you see a file upload event and think it should be investigated, rather than manually notifying the investigator, you can use the AlienApp for Cloudflare response action to create a firewall action to block the suspicious upload.

The AlienApp for Cloudflare enables you to create firewall actions based on either the destination IP address or source IP address. These actions are available when you launch a response action directly from an alarm or event (described below) or launch a response action in an orchestration rule.

Action Function

Create a Cloudflare action from an alarm

Run this action to create a Cloudflare firewall rule (Block, Challenge, JS Challenge, Allow, Log) from an alarm.

Create a Cloudflare action from an event Run this action to create a Cloudflare firewall rule (Block, Challenge, JS Challenge, Allow, Log) from an event.

Note: Before launching a Cloudflare response action, you must have enabled and connected the AlienApp for Cloudflare to your Cloudflare Enterprise account. See Configuring the AlienApp for Cloudflare for more information.

When reviewing an alarm or event originated from a Cloudflare event, if you conclude that the source is compromised you can launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to block incoming data from the IP address associated with that alarm. If you want to apply the action to similar alarms or events that occur in the future you can create an orchestration rule after you apply the action.

To launch the Create Firewall Action for an alarm

  1. Go to Activity > Alarms.
  2. Review the alarms generated on the Cloudflare events, and then click the alarm to open its details.
  3. Click Select Action, and then select the Run Cloudflare Action tile.
  4. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for Cloudflare, select the sensor that you want to use for the action.
  5. From the App Action drop-down list, select Create firewall action from the destination IP Address or Create firewall action from the source IP Address, depending on your needs.

  6. From the Zone Name drop-down list, select the appropriate zone.
  7. From the Action Type drop-down list, select the appropriate action type:
    • Block: Blocks requests from accessing the site.
    • Challenge: Forces the user to pass a Google reCAPTCHA challenge before proceeding.
    • If the user passes this challenge, Cloudflare accepts the request. If they fail, the request is blocked.

    • JS Challenge: Forces the user to pass a Cloudflare Javascript challenge before proceeding.
    • If the user passes this challenge, Cloudflare accepts the request. If they fail, the request is blocked.

    • Allow: Explicitly allows all matching requests, as long as no other Cloudflare firewall features block it.
    • Log: Logs the request in Cloudflare Logs.
    • Note: This action type is only available to Cloudflare Enterprise customers.

  8. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation.

If the alarm is related to a file in your Cloudflare environment and you want it to be investigated, you can launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to create a task on the specific file. If you want to apply the action to similar alarms that occur in the future, you can create an orchestration rule after you apply the action.

To launch the Create Firewall Action for an event

  1. Go to Activity > Events.
  2. Review the alarms generated on the Cloudflare events, and then click the event to open its details.
  3. Click Select Action, and then select the Run Cloudflare Action tile.
  4. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for Cloudflare, select the sensor that you want to use for the action.
  5. From the App Action drop-down list, select Create firewall action from the destination IP Address or Create firewall action from the source IP Address, depending on your needs.

  6. From the Zone Name drop-down list, select the appropriate zone.
  7. From the Action Type drop-down list, select the appropriate action type:
    • Block: Blocks requests from accessing the site.
    • Challenge: Forces the user to pass a Google reCAPTCHA challenge before proceeding.
    • If the user passes this challenge, Cloudflare accepts the request. If they fail, the request is blocked.

    • JS Challenge: Forces the user to pass a Cloudflare Javascript challenge before proceeding.
    • If the user passes this challenge, Cloudflare accepts the request. If they fail, the request is blocked.

    • Allow: Explicitly allows all matching requests, as long as no other Cloudflare firewall features block it.
    • Log: Logs the request in Cloudflare Logs.
    • Note: This action type is only available to Cloudflare Enterprise customers.

  8. Click Run.

    After USM Anywhere initiates the action for the alarm, it displays a confirmation.