Skip to main content
This guide walks you through connecting Cloudflare to Clarion and configuring Cloudflare Notifications monitors. By the end, Clarion will receive Cloudflare notification policies through one or more Cloudflare Notifications monitors, and optionally have an API token available for DNS tools and WAF/DDoS firewall-event investigation during incident response.
For Cloudflare Logpush detection windows, use the dedicated Cloudflare Logpush guide.
Estimated time: 5-10 minutes. You will need a Clarion workspace and access to the Cloudflare dashboard for the account or zones you want to monitor.

Prerequisites

  • A Clarion workspace
  • Access to Cloudflare
  • Permissions to create webhook destinations and notification policies in Cloudflare

Step 1 — Connect Cloudflare in Clarion

  1. In Clarion, go to Settings > Integrations
  2. Find Cloudflare
  3. Click Connect
This creates the Cloudflare integration in Clarion. Use the integration to save an optional API token for Clarion agent tools, and use Cloudflare Notifications monitors to generate webhook URLs and secrets for notification delivery.

Step 2 — Optional: Save a Cloudflare API token

If you want Clarion agents to use Cloudflare DNS, zone-management, and WAF/DDoS Analytics tools during investigations, save an API token on the Cloudflare integration.
  1. In the Cloudflare integration page in Clarion, open the API Token section
  2. In Cloudflare, go to Manage Account > Account API Tokens
  3. Create an account-owned API token
  4. Grant Zone:Read, DNS:Read, DNS:Edit, Account Settings:Read, and Zone Analytics:Read
  5. Paste the token into Clarion
  6. Wait for Clarion to verify it, then click Save
The token should include these permissions:
  • Zone:Read
  • DNS:Read
  • DNS:Edit
  • Account Settings:Read
  • Zone Analytics:Read
This token is optional for Cloudflare Notifications delivery. You only need it if you want Clarion agents to use Cloudflare API tools.
Cloudflare Notifications can trigger WAF/DDoS triage without Cloudflare Logpush. With Zone Analytics:Read, Clarion agents can query Cloudflare GraphQL Analytics for sampled firewall events, compare a current wave against a prior window, and report source IPs/ASNs, paths, user agents, countries, rules, action mix, and any allowed traffic. Use Cloudflare Logpush only when you want Clarion to ingest and detect from Logpush events directly.
Use an account-owned token instead of a user token for shared integrations. Account-owned tokens are more durable because they are not tied to one person’s profile.

Step 3 — Add one or more Cloudflare Notifications monitors

  1. In Clarion, add a Cloudflare Notifications monitor from the Integrations page or the agent monitor setup flow
  2. Give the monitor a clear name for the Cloudflare notification policy or policy group it will receive
  3. Save the monitor
When each monitor is created, Clarion generates:
  • A Webhook URL
  • A Webhook secret
Copy both values from the monitor configuration screen. You can create multiple Cloudflare Notifications monitors when you want different Cloudflare notification policies to use different webhook destinations, secrets, or Clarion agents.
If you replace the webhook secret in Clarion later, update the same secret in Cloudflare before sending new notifications.

Step 4 — Create Cloudflare webhook destinations

In Cloudflare:
  1. Go to Notifications > Destinations > Webhooks
  2. Click Create
  3. Give the destination a name you will recognize later
  4. Paste the Webhook URL from Clarion into the destination URL field
  5. Paste the Webhook secret from Clarion into the secret field
  6. Click Save and Test
Create one Cloudflare webhook destination for each Clarion monitor you want to route separately. Each destination is what the selected notification policies will send to.

Step 5 — Create notification policies in Cloudflare

After the webhook destination exists:
  1. Go to Notifications > Add
  2. Select the notification type you want to send to Clarion
  3. Fill in the required fields for that notification
  4. When Cloudflare shows a delivery or destination section, choose the webhook destination for the Clarion monitor that should receive that policy
  5. Save the notification policy
Common notification policies to forward to Clarion include:
  • DDoS
  • Origin errors
  • Health checks
  • WAF events
  • SSL or certificate events
You can attach multiple Cloudflare notification policies to the same Clarion webhook destination, or split policies across multiple Clarion monitors by using different webhook destinations.
If a Cloudflare notification form only shows Notification email fields and does not show a webhook destination selector, Cloudflare is not offering webhook delivery for that notification in your current account.If your Cloudflare account only has Free zones, this is expected. Cloudflare Notifications webhooks are not available on a free-only account, so you will only be able to use email delivery.Cloudflare’s docs say webhook availability depends on account eligibility and the highest zone plan in the account. If the account has at least one eligible paid zone, Cloudflare may expose webhook destinations for supported notification types.

What happens next

Once configured, Clarion will:
  • Receive Cloudflare Notifications webhooks at the monitor webhook URL
  • Create alerts from supported Cloudflare notification events
  • Triage those alerts with Clarion agents
  • Query Cloudflare Analytics for WAF/DDoS firewall-event evidence when an API token with Zone Analytics:Read is saved
If notifications stop arriving after rotating the secret, verify that the secret stored in the Clarion monitor matches the one configured on the Cloudflare webhook destination.