Cloudflare

The Cloudflare integration ingests WAF events, Zero Trust access logs, DDoS mitigations, DNS analytics, and Workers logs into HomeBase — providing unified visibility across your Cloudflare-protected surface.

What's ingested

• WAF events — blocked and challenged requests, rule triggers, rate limit hits.
• Zero Trust access logs — authentication events, policy decisions, device posture checks.
• DDoS mitigations — attack summaries, traffic spikes, auto-mitigation activations.
• DNS analytics — query volumes, blocked domains, DNSSEC events.
• Workers logs — execution errors and anomaly patterns (via Logpush).

Prerequisites

• Cloudflare account with at least one zone.
• Cloudflare Pro plan or above for WAF event access.
• Cloudflare Zero Trust for ZTNA log ingestion (separate connector).

Setup

1. Create a Cloudflare API token

In your Cloudflare dashboard, go to My Profile → API Tokens → Create Token. Use the "Read All" template and restrict to the zones you want HomeBase to monitor.

Required permissions:

2. Add the integration in HomeBase

POST /v1/integrations

{
  "type": "cloudflare",
  "tenant_id": "ten_01hxyz",
  "credentials": {
    "api_token": "your-cloudflare-api-token"
  },
  "config": {
    "zone_ids": ["zone_01", "zone_02"],
    "ingest_waf": true,
    "ingest_zero_trust": true,
    "ingest_ddos": true
  }
}

3. Verify the connection

GET /v1/integrations/:id/health

{
  "status": "healthy",
  "last_sync_at": "2025-06-01T14:00:00Z",
  "events_ingested_24h": 1842
}

Logpush configuration

Configure Cloudflare Logpush to push to the HLD ingest endpoint:

# HLD Logpush destination
https://ingest.hldgroup.org/v1/logpush/cloudflare?tenant_id=ten_01hxyz&token=INGEST_TOKEN