Cloudflare
LAST UPDATED: MARCH 19, 2025
Overview
Cloudflare integration allows customers to manage firewall access rules, WAF filters, and lists for IP access or redirect. It also allows the user to manage zones for each account.
D3's integration with the Cloudflare latest REST API v4 to provide the ability to ingest events, manage the zones, firewall access rules and lists.
D3 SOAR is providing REST operations to function with Cloudflare.
Cloudflare is available for use in:
Known Limitations
The global rate limit for the Cloudflare API is 1200 requests per 5 minutes per user, and applies cumulatively regardless of whether the request is made via the dashboard, API key, or API token. If the limit is exceeded, all API calls for the next 5 minutes will be blocked, returning an HTTP 429 response.
Enterprise customers can contact Cloudflare Support to increase the limit.
Refer to Rate Limits - Cloudflare Fundamentals for detailed information.
List availability varies according to the list type, Cloudflare plan, and subscriptions.
Refer to Lists | Cloudflare Web Application Firewall (WAF) docs for List API limitations.
Connection
To connect to Cloudflare from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
API Token | The API token used to authenticate the connection. | ***** |
Version | The API version to use for the connection. The default value is v4. | v4 |
Permission Requirements
Each endpoint in the Cloudflare API requires a certain permission scope. The following are the minimum scopes required for the commands in this integration:
Command | Permission Group | Required Items | Access Level |
Add Items To List | Account | Account Filter Lists | Edit |
Create Access Rule | Account: Select this option when the Access Rule Type parameter is set to Account-level access rule or User-level access rule. | Account Firewall Access Rules | Edit |
Zone: Select this option when the Access Rule Type parameter is set to Zone-level access rule. | Firewall Services | Edit | |
Create Filters | Zone | Firewall Services | Edit |
Create Firewall Rule | Zone | Firewall Services | Edit |
Create List | Account | Account Filter Lists | Edit |
Create Zone | Zone | Zone | Edit |
Delete Access Rules | Account: Select this option when the Access Rule Type parameter is set to Account-level access rule or User-level access rule. | Account Firewall Access Rules | Edit |
Zone: Select this option when the Access Rule Type parameter is set to Zone-level access rule. | Firewall Services | ||
Delete Filters | Zone | Firewall Services | Edit |
Delete Firewall Rules | Zone | Firewall Services | Edit |
Delete Lists | Account | Account Filter Lists | Edit |
Delete Zones | Zone | Zone | Edit |
Fetch Event | Account | Account Settings | Read |
Get List Items | Account | Account Filter Lists | Read |
List Access Rules | Account: Select this option when the Access Rule Type parameter is set to Account-level access rule or User-level access rule. | Account Firewall Access Rules | Read |
Zone: Select this option when the Access Rule Type parameter is set to Zone-level access rule. | Firewall Services | ||
List Accounts | Account | Account Settings | Read |
List Filters | Zone | Firewall Services | Read |
List Firewall Rules | Zone | Firewall Services | Read |
List Lists | Account | Account Filter Lists | Read |
List Zone Plans | Account | Billing | Read |
List Zones | Zone | Any | Read |
Remove Items From List | Account | Account Filter Lists | Edit |
Update Access Rules | Account: Select this option when the Access Rule Type parameter is set to Account-level access rule or User-level access rule. | Account Firewall Access Rules | Edit |
Zone: Select this option when the Access Rule Type parameter is set to Zone-level access rule. | Firewall Services | ||
Update Filters | Zone | Firewall Services | Edit |
Update Firewall Rule | Zone | Firewall Services | Edit |
Update Firewall Rules | Zone | Firewall Services | Edit |
Update Zone | Zone | Zone | Edit |
Account (Only needed for changing the zone plan by specifying a plan ID) | Billing | Edit | |
Test Connection | Any | Any | Any |
Configuring Cloudflare to Work with D3 SOAR
Log in to Cloudflare.
Click the profile icon, then select the Profile option.
Select the API Tokens tab, then click the Create Token button.
Scroll down to the Custom token section, then click the Get started button.
Enter a name for the token.
Add the permission scopes. For example, follow the steps below to create a token with permission to use the Fetch Event command.
Select the Account option in the first field from the left.
Select the Account Settings option in the middle field.
Select the Edit option in the last field.
Refer to Permission Requirements for details.
Click the Continue to summary button.
Review the token summary, then click the Create Token button to generate the token’s secret.
Copy and save the token in a secure location. Refer to step 3 i sub-step 1 in Configuring D3 SOAR to Work with Cloudflare.
Configuring D3 SOAR to Work with Cloudflare
Log in to D3 SOAR.
Find the Cloudflare integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Cloudflare in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Cloudflare.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add a description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users have the option to choose the specific tenant sites to share the connection with. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the saved API Token. Refer to step 9 in Configuring Cloudflare to Work with D3.
2. Input the API Version. The default value is v4.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Cloudflare includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Cloudflare API, please refer to the Cloudflare API reference.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Cloudflare to Work with D3 SOAR for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, users will be able to view their preferred time format when configuring the DateTime input parameters for commands.
Add Items to List
Adds new items to the specified list.
READER NOTE
Users must provide either the IP Addresses or Redirect parameter to run this command. Use the List Lists command to check the list type at the path $.result[*].kind.
If the list type is "redirect", the Redirect parameter is required, and IP must be left empty.
If the list type is "ip", the IP parameter is required, and Redirect must be left empty.
If these values do not match, the error "Item(s) kind is not compatible with the list kind." will be returned.
Successful execution may still occur when adding duplicate items, but only the first entries will be recorded. To avoid duplication, use the Get List Items command to verify existing items in the list.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account to which the target list belongs. Account ID can be obtained using the List Accounts command. | ***** |
List ID | Required | The ID of the list to which items are added. Ensure that the list type is compatible with the item type. List ID can be obtained using the List Lists command. | ***** |
IP Addresses | Optional | The IP addresses to add to an IP Addresses-type list. The associated list for the given List ID must be of the IP Addresses type. |
JSON
|
Redirects | Optional | The items to add to a Redirects-type list. The associated list for the given List ID must be of the Redirects type. The format in which to add items must be a JSON array, with each object containing source_url and target_url fields. Optional fields include:
|
JSON
|
Comment | Required | The comment for which to label the new items. Any excess beyond 500 characters is truncated. | Comment for all the items. |
Overwrite List | Optional | Whether to overwrite the entire list with the provided items. By default, the value is False, which appends items instead of overwriting. | False |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Items to List failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10058. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Item(s) kind is not compatible with the list kind. |
Error Sample Data Add Items to List failed. Status Code: 10058. Message: Item(s) kind is not compatible with the list kind. |
Create Access Rule
Creates access rules with new IPs, IP ranges, or countries either for only one specific zone or all zones owned by the current user or one specific account.
READER NOTE
If Access Rule Type is set to User-level Access Rule, then the only required parameter to run this command is Targets of Rule—other parameters are optional.
If Access Rule Type is set to Account-level Access Rule, then Account ID and Targets of Rule are required parameters to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
If Access Rule Type is set to Zone-level Access Rule, then Zone ID and Targets Of Rule are required parameters to run this command.
Run the List Zones command to obtain the Zone ID. Zone ID can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Access Rule Type | Optional | The type of access rule to be created. Available options are:
By default, the value is set to User-level Access Rule. If permission-related issues occur, refer to the Permission Requirements for this command. | User-level Access Rule |
Account ID | Optional | The ID of the account for which to create an access rule. This parameter is required when Access Rule Type is set to Account-level Access Rule. Account ID can be obtained using the List Accounts command. | ***** |
Zone ID | Optional | The ID of the zone for which to create an access rule. This parameter is required when Access Rule Type is set to Zone-level Access Rule. Zone ID can be obtained using the List Zones command. | ***** |
Action | Optional | The action to apply to a matched request. Available options are:
By default, the value is set to Block. | Block |
Targets Of Rule | Required | The list of targets for the access rule. The targets could be any combination of an IPv4 address, IPv4 range, IPV6 address, IPv6 range, Autonomous System Number and a two-letter ISO-3166-1 alpha-2 country code (US). The full list of valid country codes can be found at Online Browsing Platform (OBP). |
JSON
|
Note | Optional | A note for each target. | This rule is created for the test. |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Access Rule failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10009. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: firewallaccessrules.api.duplicate_of_existing. |
Error Sample Data Create Access Rule failed. Status Code: 10009. Message: firewallaccessrules.api.duplicate_of_existing. |
Create Filters
Creates one or multiple filters within a specified zone.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone for which to create filters. Zone ID can be obtained using the List Zones command. | ***** |
Pause Filter | Optional | Whether the filters to be created are paused. By default, the value is False. | False |
Filter Expression | Optional | The string used to define the filter expression. To reference a list in a rule express, use $<list_name> with the in operator (e.g., ip.src in $list123). List names can be obtained using the List Lists command. Any excess beyond 4096 characters will be removed. Refer to Rule expressions · Cloudflare Ruleset Engine docs for more information about the expression syntax. Either this parameter or Batch Configurations must be defined. | ip.src in $list23 |
Description | Optional | The description for the filter. Any excess beyond 500 characters will be removed. | us filter with ref |
Reference Tag | Optional | The reference tag for the filter. Any excess beyond 50 characters will be removed. Once assigned to a filter, the reference tag cannot be used for other filters. | FIL-100 |
Batch Configurations | Optional | Configurations for the filters to be created. When this parameter is used, other filter configuration parameters will be ignored. Each filter must include an expression key. Optional fields include:
Either this parameter or Filter Expression must be defined. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Filters failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10012. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: filters.api.not_entitled.max_rules. |
Error Sample Data Create Filters failed. Status Code: 10012. Message: filters.api.not_entitled.max_rules. |
Create Firewall Rule
Creates a firewall rule using the specified filter.
READER NOTE
Zone ID and Filter ID are required parameters to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Run the List Filters command to obtain the Filter ID. Filter IDs can be found in the raw data at the path $.result[*].id.
Each Filter ID can only be used once in this command.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Action | Required | The action to apply for the firewall rule. Available options are:
The Log action is only available for the Enterprise plan. | Block |
Filter ID | Required | The ID of the filter to attach to this firewall rule. Filter ID can be obtained using the List Filters command. | ***** |
Pause Rule | Optional | Whether the filter used is paused. By default, the value is False. | False |
Bypass Products | Optional | The list of products to bypass for a request. This parameter is required when Action is set to Bypass. Available options are: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf. |
JSON
|
Priority | Optional | The priority of the firewall rule. Valid values range from 1 to 2,147,483,647. Values outside this range will be ignored. | 25 |
Description | Optional | The description for the firewall rule. Any excess beyond 500 characters will be removed. | The rule was created with a filter. |
Reference Tag | Optional | The reference tag for the firewall rule. Any excess beyond 50 characters will be removed. Once assigned to a rule, the reference tag cannot be used for other rules. | FIL-100 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Firewall Rule failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10102. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: config duplicates an already existing config. |
Error Sample Data Create Firewall Rule failed. Status Code: 10102. Message: config duplicates an already existing config. |
Create List
Creates a list of the specified type.
READER NOTE
Account ID is a required parameter to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account for which to create the list. Account ID can be obtained using the List Accounts command. | ***** |
List Name | Required | The name of the list. Only letters, numbers, and underscores are supported. Any excess beyond 50 characters is cut off. | list23 |
Type | Optional | The type of list to be created. Each type supports specific list items. Available options are:
By default, the value is set to IP Addresses. | IP Addresses |
Description | Optional | The description of the list. Any excess beyond 500 characters is cut off. | This rule is updated for the test. |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create List failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10019. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: This account is at the maximum number of lists. |
Error Sample Data Create List failed. Status Code: 10019. Message: This account is at the maximum number of lists. |
Create Zone
Creates a new zone under a specified account.
READER NOTE
Account ID is a required parameter to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Users cannot create zones with the same domain. However, if a zone is deleted, users can recover it by running this command and inputting the same domain—provided the same zone ID is used.
Input
Input Parameter | Required/Optional | Description | Example |
Domain | Required | The domain for which to create the new zone. Any excess beyond 253 characters is cut off. The domain must match the following pattern: `^([a-zA-Z0-9][\-a-zA-Z0-9]*\.)+[\-a-zA-Z0-9]{2,20}$`. Refer to Regular Expression Language - Quick Reference - .NET | Microsoft Learn for more information. | example.com |
Account ID | Required | The Account ID under which the zone will be created. Account IDs can be obtained using the List Accounts command. | ***** |
Auto Fetch DNS Records | Optional | Whether to automatically attempt fetching existing DNS records. By default, the value is False. | False |
Zone Type | Optional | The DNS hosting type of the zone to be created. Available options are:
Full means the DNS is hosted by Cloudflare, while Partial means that the zone is typically partner-hosted or a CNAME setup. | Partial |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Zone failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 1105. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: You attempted to add this domain too many times within a short period. Wait at least 3 hours and try adding it again. |
Error Sample Data Create Zone failed. Status Code: 1105. Message: You attempted to add this domain too many times within a short period. Wait at least 3 hours and try adding it again. |
Delete Access Rules
Deletes the specified access rules.
READER NOTE
Access Rule IDs is a required parameter to run this command.
Run the List Access Rules command to obtain the Access Rule IDs. Access Rule IDs can be found in the raw data at the path $.result[*].id.
If Access Rule Type is set to User-level Access Rule, then the only required parameter to run this command is Access Rule IDs—other parameters are optional.
When running the List Access Rules command, setting Access Rule Type to User-level Access Rule is recommended to obtain the desired Access Rule IDs.
If Access Rule Type is set to Account-level Access Rule, then Account ID and Access Rule IDs are required parameters to run this command.
First, run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Then, run the List Access Rules command with the obtained Account ID and set Access Rule Type to Account-level Access Rule to retrieve the Access Rule IDs.
If Access Rule Type is set to Zone-level Access Rule, then Zone ID and Access Rule IDs are required parameters to run this command.
First, run the List Zones command to obtain the Zone ID. Zone ID can be found in the raw data at the path $.result[*].id.
Then, run the List Access Rules command with the obtained Zone ID and set Access Rule Type to Zone-level Access Rule to retrieve the Access Rule IDs.
Input
Input Parameter | Required/Optional | Description | Example |
Access Rule Type | Optional | The type of access rule to be deleted. Available options are:
By default, the value is set to User-level Access Rule. If permission-related issues occur, refer to the Permission Requirements for this command. | User-level Access Rule |
Access Rule IDs | Required | The IDs of the access rules for which to delete. Access Rule IDs can be obtained using the List Access Rules command. |
JSON
|
Account ID | Optional | The ID of the account for which to delete access rules. This parameter is required when Access Rule Type is set to Account-level Access Rule. Account ID can be obtained using the List Accounts command. | ***** |
Zone ID | Optional | The ID of the zone for which to delete access rules. This parameter is required when Access Rule Type is set to Zone-level Access Rule. Zone ID can be obtained using the List Zones command. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Access Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Authentication error: Account ID xxx is invalid. |
Error Sample Data Delete Access Rules failed. Status Code: 10000. Message: Authentication error: Account ID xxx is invalid. |
Delete Filters
Deletes the specified filters.
READER NOTE
Zone ID and Filter IDs are required parameters to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Run the List Filters command to obtain the Filter IDs. Filter IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Filter IDs | Required | The IDs of the filters to be deleted. Filter IDs can be obtained using the List Filters command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Filters failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: invalid field value: xxx. |
Error Sample Data Delete Filters failed. Status Code: 10000. Message: invalid field value: xxx. |
Delete Firewall Rules
Deletes the specified firewall rules.
READER NOTE
Zone ID and Rule IDs are required parameters to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Run the List Firewall Rules command to obtain the Rule IDs. Rule IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Rule IDs | Required | The IDs of the rules to be deleted. Rule IDs can be obtained using the List Firewall Rules command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete FirewallRules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: invalid field value: xxx. |
Error Sample Data Delete FirewallRules failed. Status Code: 10000. Message: invalid field value: xxx. |
Delete Lists
Deletes the specific lists in a given account and all their items.
READER NOTE
Account ID and List IDs are required parameters to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Run the List Lists command to obtain List IDs. List IDs can be found in the raw data at the path $.result[*].id.
This command does not return an error for invalid lists due to API limitations, as the API does not validate list existence. Verify the delete operation by checking the platform directly or running the List Lists command afterward.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account for which to delete lists. Account ID can be obtained using the List Accounts command. | ***** |
List IDs | Required | The IDs of the lists to delete. List IDs can be obtained using the List Lists command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Lists failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Authentication error: Account ID xxx is invalid. |
Error Sample Data Delete Lists failed. Status Code: 10000. Message: Authentication error: Account ID xxx is invalid. |
Delete Zones
Deletes the specified zones.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain Zone IDs. Zone IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone IDs | Required | The IDs of the zones for which to delete. Zone IDs can be obtained using the List Zones command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Zones failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 1001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid zone identifier. |
Error Sample Data Delete Zones failed. Status Code: 1001. Message: Invalid zone identifier. |
Fetch Event
Retrieves logs from Cloudflare with the given criteria.
READER NOTE
Source ID is a required parameter to run this command when the value of Event Source is set to Account Audit Logs.
Run the List Account command to obtain the Source ID. Source ID is the same as Account ID. Account IDs can be found in the returned raw data at the path $.result[*].id.
Zone Name is an optional parameter to run this command.
Run the List Zones command to obtain the Zone Name. Zone Names can be found in the returned raw data at the path $.result[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start date (in UTC) for fetching logs (time ignored). | 2022-04-01 00:00 |
End Time | Optional | The end date (in UTC) for fetching logs (time ignored). | 2022-04-20 00:00 |
Event Source | Optional | The event source for retrieving logs. Available options are:
By default, it is set to User Audit Logs. | User Audit Log |
Source ID | Optional | The Account ID for the selected event resource. This parameter is required when the Event Source is Account Audit Logs. | ***** |
Actor IP | Optional | The IP address that made the change. | ***.***.***.*** |
Actor Email | Optional | The email address of the actor that made the change. | *****@*****.***** |
Hide User Logs | Optional | Whether to hide user-level audit logs. By default, the value is False. | True |
Zone Name | Optional | The zone name used to filter the results. Zone Names can be obtained using the List Zones command. | d3soar.net |
Action Type | Optional | The action type used to filter the results. | add |
Number of Event(s) Fetched | Optional | The maximum number of results per page. When set to 0, a negative number, or left unspecified, all events within the given time range will be returned. The maximum allowed value is 1000. | 100 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Direction | Optional | The order in which to sort the retrieved logs based on their generated time. Available options are:
By default, the value is Descending. | Descending |
Output
To view the sample output data for all commands, refer to this article.
Fetch Event Field Mapping
Fetch Event commands require event field mapping. Field mapping plays a key role for data normalization within the event pipeline. Field mapping converts the original data fields from the different providers to standardized D3 fields as defined by the D3 Model. Refer to Event and Incident Intake Field Mapping for details.
To add a custom field, click on the + Add Field button. Users can also remove built-in field mappings by clicking x. Note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the Cloudflare integration has some pre-configured field mappings for default field mapping.
Default Event Source
The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, users will find a set of field mappings provided by the system. Default event source provides field mappings for common fields from the fetched data. The default event source has a "Main Event JSON Path" (i.e. $.result) that is used to extract a batch of events from the response raw data. View the "Main Event JSON Path" by clicking on the Edit Event Source button.
Main Event JSON Path: $.result
The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
For example, the root node of a JSON Path is result. The child node denoting the Unique Event Key field would be id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.result.id.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Unique Event Key | .id |
Event Type | .action.type |
Owner ID | .owner.id |
Start Time | .when |
Resource Type | .resource.type |
Actor Email | .actor.email |
Zone Name | .metadata.zone_name |
Description | .action.type |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Authentication error. |
Error Sample Data Fetch Event failed. Status Code: 10000. Message: Authentication error. |
Get List Items
Returns a detailed list of all items in the given list.
READER NOTE
Account ID and List ID are required parameters to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Run the List Lists command to obtain the List ID. List IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account to which the target list belongs. Account ID can be obtained using the List Accounts command. | ***** |
List ID | Required | The ID of the list from which to retrieve the item details. List ID can be obtained using the List Lists command. | ***** |
Cursor | Optional | The value of the pagination cursor used to request the next or previous set of records in the next API call. Cursor values can be found in the previous response at $.result_info.cursors. | yyyyyy |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get List Items failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: filters.api.not_found: could not find list xxx. |
Error Sample Data Get List Items failed. Status Code: 10001. Message: filters.api.not_found: could not find list xxx. |
List Access Rules
Returns a list of access rules.
READER NOTE
If Access Rule Type is set to User-level Access Rule, then all parameters are optional.
If Access Rule Type is set to Account-level Access Rule, then Account ID is a required parameter to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
If Access Rule Type is set to Zone-level Access Rule, then Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone ID can be found in the raw data at the path $.result[*].id.
Use Page Size and Page parameters to control the number of returned rules. By default, only 20 rules will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Access Rule Type | Optional | The type of access rules to be listed. Available options are:
By default, the value is set to User-level Access Rule. If permission-related issues occur, refer to the Permission Requirements for this command. | User-level Access Rule |
Account ID | Optional | The ID of the account for which to list access rules. This parameter is required when Access Rule Type is set to Account-level Access Rule. Account ID can be obtained using the List Accounts command. | ***** |
Zone ID | Optional | The ID of the zone for which to list access rules. This parameter is required when Access Rule Type is set to Zone-level Access Rule. Zone ID can be obtained using the List Zones command. | ***** |
Action | Optional | Filters access rules by the action applied to a matched request. Available options are:
By default, the value is set to Block. | Block |
Target Type Of Rule | Optional | Filters access rules by the target type. Available options are:
| IP |
Target Value | Optional | Filters access rules by the specific target value. Only exact matches are supported. The target value can be an IPv4 address, IPv4 range, IPV6 address, IPv6 range, Autonomous System Number, or a two-letter ISO-3166-1 alpha-2 country code. The full list of valid country codes can be found at Online Browsing Platform (OBP). | 198.51.100.4 |
Note | Optional | Filters access rules by notes. Partial matches are supported. | update |
Match Type | Optional | The search mode for which to filter the rules. Setting the parameter to All returns rules that satisfy all criteria. Setting the parameter to Any returns rules that match any criteria. By default, the value is All. | All |
Page Size | Optional | The maximum number of results per page (1-1000 in increments of 5). When set to 0, a negative number, or left unspecified, the value defaults to 20. | 100 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Sort By | Optional | The field by which to sort the returned results. Available options are:
By default, the value is set to Action. | Action |
Direction | Optional | The order in which to sort the result list. Available options are:
By default, the value is Ascending. | Ascending |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Access Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/accounts/xxx/firewall/access_rules/rules, perhaps your object identifier is invalid? |
Error Sample Data List Access Rules failed. Status Code: 7003. Message: Could not route to /client/v4/accounts/xxx/firewall/access_rules/rules, perhaps your object identifier is invalid? |
List Accounts
Returns a list of accounts.
Input
Input Parameter | Required/Optional | Description | Example |
Account IDs | Optional | The IDs of the accounts for which to retrieve account details. If provided, all other parameters are ignored. |
JSON
|
Account Name | Optional | Filters results by the full names of the accounts. | Sample@d3security.com's Account |
Page Size | Optional | The maximum number of results per page (5-50). When set to 0, a negative number, or left unspecified, the value defaults to 20. | 20 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Direction | Optional | The order in which to sort the result list. Available options are:
By default, the value is Ascending. | Ascending |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Accounts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/accounts/xxx, perhaps your object identifier is invalid? |
Error Sample Data List Accounts failed. Status Code: 7003. Message: Could not route to /client/v4/accounts/xxx, perhaps your object identifier is invalid? |
List Filters
Returns a list of filters in the specified zone.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Filter IDs is an optional parameter to run this command.
Run this command without filling in the Filter IDs parameter to obtain the Filter IDs. Filter IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Filter IDs | Optional | Filters results by the specified Filter IDs. When provided, all other query parameters are ignored. |
JSON
|
List Paused Filter | Optional | Whether to list paused filters. By default, the value is False. | False |
Expression | Optional | The case-insensitive string used to query filter expressions. Any excess beyond 4096 characters will be removed. | ip.geoip.country |
Description | Optional | The case-insensitive string used to query filters by their descriptions. Any excess beyond 500 characters will be removed. | ip.geoip.country |
Reference Tag | Optional | Filters results by reference tags. Only exact matches are supported. Any excess beyond 50 characters will be removed. | FIL-100 |
Page Size | Optional | The maximum number of results per page (5-100 in increments of 5). When set to 0, a negative number, or left unspecified, the value defaults to 25. | 5 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Filters failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/zones/xxx/filters, perhaps your object identifier is invalid? |
Error Sample Data List Filters failed. Status Code: 7003. Message: Could not route to /client/v4/zones/xxx/filters, perhaps your object identifier is invalid? |
List Firewall Rules
Returns a list of firewall rules in a specified zone.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Rule IDs is an optional parameter to run this command.
Run this command without filling in the Rule IDs parameter to obtain the Rule IDs. Rule IDscan be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the firewall rule belongs. Zone ID can be obtained using the List Zones command. | ***** |
Rule IDs | Optional | The IDs of the firewall rules for which to retrieve details. Rule IDs can be obtained by running the command without filling in this input parameter. When this parameter is defined, all other firewall rule filtering parameters are ignored. |
JSON
|
List Paused Rules | Optional | Whether to list paused rules. By default, the value is False. | False |
Action | Optional | Filters firewall rules by the action applied. Available options are:
The Log action is only available for the Enterprise plan. | Block |
Description | Optional | The case-insensitive string used to query firewall rules by their descriptions. Any excess beyond 500 characters will be removed. | ip.geoip.country |
Page Size | Optional | The maximum number of results per page (5-100 in increments of 5). When set to 0, a negative number, or left unspecified, the value defaults to 25. | 5 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Firewall Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10000. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Authentication error: Zone ID xxx is invalid. |
Error Sample Data List Firewall Rules failed. Status Code: 10000. Message: Authentication error: Zone ID xxx is invalid. |
List Lists
Returns lists in the specified account.
READER NOTE
Account ID is a required parameter to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
List IDs is an optional parameter to run this command.
Run this command without filling in the List IDs parameter to obtain the List IDs. List IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account for which to return lists. Account ID can be obtained using the List Accounts command. | ***** |
List IDs | Optional | The IDs of the lists for which to retrieve details. List IDs can be obtained by running the command without filling in this input parameter. By default, all lists in the account will be returned. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Lists failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/accounts/xxx/rules/lists, perhaps your object identifier is invalid? |
Error Sample Data List Lists failed. Status Code: 7003. Message: Could not route to /client/v4/accounts/xxx/rules/lists, perhaps your object identifier is invalid? |
List Zone Plans
Lists the available plans to which a zone can subscribe.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone whose plans will be listed. Zone ID can be obtained using the List Zones command. | ***** |
Plan Type | Optional | Filters the result by plan type. Available options are:
By default, the value is set to Plan. | Plan |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Zone Plans failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/zones/xxx/available_plans, perhaps your object identifier is invalid? |
Error Sample Data List Zone Plans failed. Status Code: 7003. Message: Could not route to /client/v4/zones/xxx/available_plans, perhaps your object identifier is invalid? |
List Zones
Returns a list of zones.
READER NOTE
Account Name and Account ID are optional parameters to run this command.
Run the List Accounts command to obtain the Account Name. Account Names can be found in the raw data at the path $.result[*].name.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone IDs | Optional | The IDs of the zones for which to retrieve details. If provided, other parameters are ignored. |
JSON
|
Domain Name | Optional | The domain name used to filter zones. | d3soar.net |
Zone Status | Optional | The zone status used to filter zones. Available options are:
| Active |
Account Name | Optional | The account name used to filter zones. Account Names can be obtained using the List Accounts command. Account names containing the following characters cannot be used to filter zones: & < > " ‘ `. | sample@d3security.com |
Account ID | Optional | The account ID used to filter zones. Account ID can be obtained using the List Accounts command. | ***** |
Page Size | Optional | The maximum number of results per page (5-50). When set to 0, a negative number, or left unspecified, the value defaults to 20. | 5 |
Page | Optional | The page index of the returned results. When set to 0, a negative number, or left unspecified, the value defaults to 1. | 1 |
Sort By | Optional | The field by which to sort the returned zones. Available options are:
By default, the value is set to Name. | Name |
Direction | Optional | The order in which to sort the zone list. Available options are:
By default, the value is Ascending. | Ascending |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Zones failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 7003. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Could not route to /client/v4/zones/xxx, perhaps your object identifier is invalid? |
Error Sample Data List Zones failed. Status Code: 7003. Message: Could not route to /client/v4/zones/xxx, perhaps your object identifier is invalid? |
Remove Items from List
Removes the specified Items from a list.
READER NOTE
Account ID, List ID and Item IDs are required parameters to run this command.
Run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Run the List Lists command to obtain the List ID. List IDs can be found in the raw data at the path $.result[*].id.
Run the Get List Items command to obtain the Item IDs. Item IDs can be found in the raw data at the path $.result[*].id.
All input values must correspond to the same account. It is recommended to first run the List Accounts command to obtain the desired Account ID. Second, use this Account ID to run the List Lists command to retrieve List IDs. Finally, use the paired values to run the Get List Items command to obtain Item IDs.
The API does not validate whether the input item IDs are correct. Therefore, all operations will appear successful. To confirm item removal from the specified list under the given account, check the platform directly or run the Get List Items command.
Input
Input Parameter | Required/Optional | Description | Example |
Account ID | Required | The ID of the account under which the target list is associated. Account ID can be obtained using the List Accounts command. | ***** |
List ID | Required | The ID of the list from which to remove items. List ID can be obtained using the List Lists command. | ***** |
Item IDs | Required | The IDs of the items to remove. Item IDs can be obtained using the Get List Items command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Remove Items From List failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: filters.api.not_found: could not find list xxx. |
Error Sample Data Remove Items From List failed. Status Code: 10001. Message: filters.api.not_found: could not find list xxx. |
Update Access Rules
Updates the action and/or notes of existing access rules.
READER NOTE
Access Rule IDs is a required parameter to run this command.
Run the List Access Rules command to obtain the Access Rule IDs. Access Rule IDs can be found in the raw data at the path $.result[*].id.
If Access Rule Type is set to User-level Access Rule, then the only required parameter to run this command is Access Rule IDs—other parameters are optional.
When running the List Access Rules command, setting Access Rule Type to User-level Access Rule is recommended to obtain the desired Access Rule IDs.
If Access Rule Type is set to Account-level Access Rule, then Account ID and Access Rule IDs are required parameters to run this command.
First, run the List Accounts command to obtain the Account ID. Account IDs can be found in the raw data at the path $.result[*].id.
Then, run the List Access Rules command with the obtained Account ID and set Access Rule Type to Account-level Access Rule to retrieve the Access Rule IDs.
If Access Rule Type is set to Zone-level Access Rule, then Zone ID and Access Rule IDs are required parameters to run this command.
First, run the List Zones command to obtain the Zone ID. Zone ID can be found in the raw data at the path $.result[*].id.
Then, run the List Access Rules command with the obtained Zone ID and set Access Rule Type to Zone-level Access Rule to retrieve the Access Rule IDs.
Input
Input Parameter | Required/Optional | Description | Example |
Access Rule Type | Optional | The type of access rules for which to update. Available options are:
By default, the value is set to User-level Access Rule. If permission-related issues occur, refer to the Permission Requirements for this command. | User-level Access Rule |
Access Rule IDs | Required | The IDs of the access rules for which to update. Access Rule IDs can be obtained using the List Access Rules command. |
JSON
|
Account ID | Optional | The ID of the account for which to update access rules. This parameter is required when Access Rule Type is set to Account-level Access Rule. Account ID can be obtained using the List Accounts command. | ***** |
Zone ID | Optional | The ID of the zone for which to update access rules. This parameter is required when Access Rule Type is set to Zone-level Access Rule. Zone ID can be obtained using the List Zones command. | ***** |
Action | Optional | The action to apply to a matched request. Available options are:
By default, the value is set to Block. Users must enter a value for either Action or Note. | Whitelist |
Note | Optional | A note for each access rule. Users must enter a value for either Action or Note. | This rule is updated for the test. |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Access Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: The parameters Action, and Note cannot both be empty. |
Error Sample Data Update Access Rules failed. Status Code: 400. Message: The parameters Action, and Note cannot both be empty. |
Update Filters
Updates one or multiple existing filters within a specified zone.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Filter ID is an optional parameter to run this command.
Run the List Filters command to obtain the Filter ID. Filter IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Filter ID | Optional | The ID of the filter to be updated. Filter ID can be obtained using the List Filters command. | ***** |
Pause Filter | Optional | Whether to pause the filters. By default, the value is False. | False |
Expression | Required | The string used to define the updated filter expression. To reference a list in a rule express, use $<list_name> with the in operator (e.g., ip.src in $list123). List names can be obtained using the List Lists command. Any excess beyond 4096 characters will be removed. Refer to Rule expressions · Cloudflare Ruleset Engine docs for more information about the expression syntax. Either this parameter or Batch Configurations must be defined. | ip.src in $list23 |
Description | Optional | The updated description for the filter. Any excess beyond 500 characters will be removed. | us filter with ref |
Reference Tag | Optional | The updated reference tag for the filter. Any excess beyond 50 characters will be removed. Once assigned to a filter, the reference tag cannot be used for other filters. | FIL-100 |
Batch Configurations | Optional | The updated configurations for the filters. When this parameter is used, other filter configuration parameters will be ignored. Each filter must include an id key. Optional fields include:
|
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Filters failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10012. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: filters.api.not_entitled.max_rules. |
Error Sample Data Update Filters failed. Status Code: 10012. Message: filters.api.not_entitled.max_rules. |
Update Firewall Rule
Updates an existing firewall rule.
READER NOTE
Zone ID, Rule ID and Filter ID are required parameters to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Run the List Firewall Rules command to obtain the Rule IDs. Rule IDs can be found in the raw data at the path $.result[*].id.
Run the List Filters command to obtain the Filter ID. Filter IDs can be found in the raw data at the path $.result[*].id.
The input values for Zone ID, Rule ID, and Filter ID must correspond. It is recommended to first run the List Zones command to obtain the desired Zone ID. Then, use this Zone ID to run the List Firewall Rules command to retrieve the Rule ID. Finally, use the List Filters command to get the Filter ID. These values must belong to the same zone when executing this command.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Rule ID | Required | The ID of the firewall rule to be updated. Rule ID can be obtained using the List Firewall Rules command. | ***** |
Action | Required | The updated action to apply for the firewall rule. Available options are:
The Log action is only available for the Enterprise plan. | Block |
Filter ID | Required | The ID of the filter attached to the firewall rule. Filter ID can be obtained using the List Filters command. | ***** |
Pause Rule | Optional | Whether the rule is paused. By default, the value is False. | False |
Bypass Products | Optional | The list of products to bypass for a request. This parameter is required when Action is set to Bypass. Available options are: zoneLockdown, uaBlock, bic, hot, securityLevel, rateLimit, and waf. |
JSON
|
Priority | Optional | The priority of the firewall rule. Valid values range from 1 to 2,147,483,647. Values outside this range will be ignored. | 25 |
Description | Optional | The description for the firewall rule. Any excess beyond 500 characters will be removed. | The rule was created with a filter. |
Reference Tag | Optional | The reference tag for the firewall rule. Any excess beyond 50 characters will be removed. Once assigned to a rule, the reference tag cannot be used for other rules. | FIL-100 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Firewall Rule failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10102. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: config duplicates an already existing config. |
Error Sample Data Update Firewall Rule failed. Status Code: 10102. Message: config duplicates an already existing config. |
Update Firewall Rules
Updates multiple existing firewall rules.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to which the filter belongs. Zone ID can be obtained using the List Zones command. | ***** |
Firewall Configurations | Required | The configurations for the firewall rules to be updated. Firewall IDs can be obtained using the List Firewalles command. Filter ID can be obtained using the List Filters command. Required fields for each firewall rule are id, filter and action. Other available fields include:
Refer to Update firewall rules - Cloudflare API for details. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Firewall Rules failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 10001. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: config not found. |
Error Sample Data Update Firewall Rules failed. Status Code: 10001. Message: config not found. |
Update Zone
Updates the configurations of an existing zone.
READER NOTE
Zone ID is a required parameter to run this command.
Run the List Zones command to obtain the Zone ID. Zone IDs can be found in the raw data at the path $.result[*].id.
Plan ID is an optional parameter to run this command.
Run the List Zone Plans command to obtain the Plan ID. Plan IDs can be found in the raw data at the path $.result[*].id.
Plan IDs must correspond with their respective Zone IDs. It is recommended to first run the List Zones command to obtain the Zone ID, then use that ID to run the List Zone Plans command to retrieve the Plan ID.
Input
Input Parameter | Required/Optional | Description | Example |
Zone ID | Required | The ID of the zone to be updated. Zone ID can be obtained using the List Zones command. | ***** |
Zone Type | Optional | The DNS hosting type of the zone to be updated. Available options are:
Full means the DNS is hosted by Cloudflare, while Partial means that the zone is typically partner-hosted or a CNAME setup. This parameter is only available to Enterprise customers or if it has been explicitly enabled for a zone. | Partial |
Pause DNS Services | Optional | Whether the zone is only using Cloudflare DNS services. True means that the zone will not receive security or performance benefits. | False |
Vanity Name Servers | Optional | The domains used for custom name servers. This is only available for Business and Enterprise plans. |
JSON
|
Plan ID | Optional | The ID of the desired plan for the zone. Plan ID can be obtained using the List Zone Plans command. Changing this value will create or cancel associated subscriptions. | ***** |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Zone failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 1088. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid/Missing Zone plan ID. |
Error Sample Data Update Zone failed. Status Code: 1088. Message: Invalid/Missing Zone plan ID. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
You can view more details about an error in the Error tab. | String |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 10028, it could due to adding a repeated IP address to an IP list. The user or system support would need to check the input IP to add to the list. Refer to Cloudflare Errors · Cloudflare Support docs for details. | Status Code: 1012. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Access Denied. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 1012. Message: Access Denied. |