[New Integration] Cloudflare Email Security

[cpascale43]

Description

Cloudflare Email Security monitors email traffic for various threats including phishing, malware and spam. It provides protection by intercepting and quarantining potentially malicious emails before they are delivered to users' inboxes.

The Elastic integration ingests security events from Cloudflare Email Security, enabling users to correlate email threats with other security events across their organization's environment.

Architecture

Email Security events are delivered via Cloudflare's Alert Webhooks feature: https://developers.cloudflare.com/email-security/email-configuration/domains-and-routing/alert-webhooks/

Refer to the Cloudflare documentation for more details: https://developers.cloudflare.com/email-security/

Dashboard Ideas

The dashboard should provide visibility into email-based threats and security events detected by Cloudflare. It enables real-time monitoring of phishing attempts, malware distribution, and spam campaigns to help security teams quickly identity and respond to email-based attacks. Key categories, and suggested visualizations are:

• Overview and trends
  • Pie chart showing distribution of email threats
  • Chart showing distribution of phishing attack types (credential harvest, malware delivery etc.)
  • Line graph tracking threat volumes over time
  • Alerts for sudden spikes in malicious email activity
• Email security
  • Bar chart or table view of top email threat types (phishing/malware/spam)
  • Geo map showing origin of email threats
  • Timeline of threat detection events
• Phishing analysis
  • Table view of active phishing campaigns
  • Distribution of phishing attack objectives
  • Targeted user/department analysis
  • Metrics on credential harvesting attempts
• Malware detection
  • Breakdown of detected malware families
  • Malicious attachment type distribution
  • Timeline of malware detection events
• Email traffic overview
  • Chart showing volume of clean vs. malicious emails over time
  • Table of top email senders and recipients involved in security incidents
  • Domain reputation tracking
  • Quarantine activity metrics

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency when creating or updating a Package, Module or Dataset for an Integration.

All changes

• [ ] Change follows the contributing guidelines
• [ ] Supported versions of the monitoring target are documented
• [ ] Supported operating systems are documented (if applicable)
• [ ] Integration or System tests exist
• [ ] Documentation exists, useful guidelines to follow
• [ ] Fields follow ECS and naming conventions
• [ ] At least a manual test with ES / Kibana / Agent has been performed.
• [ ] Required Kibana version set to:

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)