Skip to main content

Cloudflare Audit Logs

The Cloudflare connector pulls account-scope audit log entries from the Cloudflare API — every administrative action taken in the dashboard or via API, including DNS changes, WAF rule edits, page rule modifications, API token creation, and member role changes.

What you get

Resource typeExamples
accountMember added, role changed, 2FA disabled
zoneDNS record create/delete, SSL setting change
firewallWAF rule create/edit, rate-limit change
accessCloudflare Access policy edit, identity provider change
r2 / workersBucket policy change, Worker route deploy
api_tokenToken created, scope granted, token revoked

Events are normalized with source: cloudflare, category: saas.

Prerequisites

  • A Cloudflare account ID. Find it at the bottom right of any zone overview page.
  • A Cloudflare API token with at minimum:
    • Account → Audit Logs → Read
    • (Optional) Account → Account Settings → Read for member resolution
  • The token must be account-scoped, not user-scoped, so it survives if the creating user leaves the team.

We strongly recommend creating a dedicated aisoc-readonly token with only the audit-log scope. Do not reuse your global API key.

Setup walkthrough

1. Create the API token

  1. Cloudflare dashboard → My Profile → API Tokens → Create Token.
  2. Use the Custom token template.
  3. Permissions:
    • Account | Audit Logs | Read
  4. Account Resources: Include → Specific account → <your account>.
  5. (Optional) Set a TTL or IP restriction.
  6. Continue → Create Token. Copy the token now — you won't see it again.

2. Find your account ID

Any zone's Overview page shows the account ID in the right-hand sidebar (32-character hex string). Or run:

curl -H "Authorization: Bearer $TOKEN" https://api.cloudflare.com/client/v4/accounts | jq -r '.result[].id'

3. Add the connector in AiSOC

  1. Connectors → Add connector → Cloudflare.
  2. account_id = the 32-character hex string.
  3. api_token = the token from step 1 (stored encrypted in the credential vault).
  4. Test connection → calls GET /accounts/:id/audit_logs?per_page=1.
  5. Save.

Polling details

  • Default interval: 300 seconds.
  • The connector calls GET /accounts/:id/audit_logs?since=<lastpoll>&before=<now>&direction=desc&per_page=100, paginating until exhaustion or an upper bound of 1000 events per poll.
  • Cloudflare returns audit events with near-zero latency (typically <30 sec from action), making this one of the lower-latency connectors in the catalog.

Severity heuristics

ActionSeverity
member.add with Super Administrator rolehigh
api_token.create with broad scopes (e.g. Account.*)high
account.2fa.disablehigh
zone.firewall.rule.delete on production zonemedium
dns.record.delete of an MX/A record on production zonemedium
worker.route.create pointing to an unverified workermedium
Routine zone.settings.readdropped

Troubleshooting

Authentication error (code: 10000) — token lacks the Audit Logs Read permission, or token is user-scoped on an account where the user has been removed. Recreate as account-scoped.

Resource not found (code: 7003) — the account ID is wrong. Confirm against the dashboard sidebar — it is not the same as the zone ID.

Empty results despite recent dashboard changes — the audit log API only includes a subset of dashboard activity (administrative changes). Read-only browsing does not appear. This is expected and matches Cloudflare's documented behavior.

  • GitHub Audit + Code Scanning — for the source-control side of edge changes (e.g. workers committed to a repo before they were deployed).
  • For zone-level WAF and bot events, see the dedicated Cloudflare Logpush documentation (separate, paid feature) — out of scope for this connector.