Skip to content
Cloudflare Docs

Risk score

Cloudflare One risk scoring detects user activity and behaviors that could introduce risk to your organization's systems and data. Risk scores add user and entity behavior analytics (UEBA) to the Cloudflare One platform.

User risk scoring

Cloudflare One assigns a risk score of Low, Medium, or High based on detections of users' activities, posture, and settings. A user's score is equal to the highest-level risk behavior they trigger.

View a user's risk score

To view a user's risk score:

  1. In Cloudflare One, go to Teams & Resources.
  2. Select Users.
  3. Select Risk score > Risk scoring.
  4. Select a user's name to view their instances of risk behaviors, if any. You can select an instance of a risk behavior to view the log associated with the detection.

Users that have had their risk score cleared will not appear in the table unless they trigger another risk behavior.

Clear a user's risk score

If required, you can reset risk scores for specific users. Once reset, users will not appear in the associated risk table until they trigger another risk behavior.

  1. In Cloudflare One, go to Teams & Resources.
  2. Select Risk score > Risk scoring.
  3. Select the user you want to clear the risk score for.
  4. In User risk overview, select Reset user risk.
  5. Select Confirm.

Send risk score to Okta

In addition to controls in Cloudflare One, Okta users can send risk scores to Okta to apply SSO-level policies.

First, configure Cloudflare One to send user risk scores to Okta.

  1. Set up the Okta SSO integration.
  2. In Cloudflare One, go to Integrations > Identity providers.
  3. In Your identity providers, locate your Okta integration and select Edit.
  4. Turn on Send risk score to Okta.
  5. Select Save.
  6. Upon saving, Cloudflare One will display the well-known URL for your organization. Copy the value.

Next, configure Okta to receive your risk scores.

  1. On your Okta admin dashboard, go to Security > Device Integrations.
  2. Go to Receive shared signals, then select Create stream.
  3. Name your integration. In Set up integration with, choose Well-known URL.
  4. In Well-known URL, enter the well-known URL value provided by Cloudflare One.
  5. Select Create.

For more information on configuring user risk score within Okta, refer to the Okta documentation.

While the Okta integration is turned on, Cloudflare One will send any user risk score updates to Okta, including score increases and resets. Score update events will appear in your Access audit logs.

Predefined risk behaviors

By default, all predefined behaviors are disabled. When a behavior is enabled, Cloudflare One will continuously evaluate all users within the organization for the behavior. You can change the risk level for predefined behaviors if the default assignment does not suit your environment.

Risk behaviorsRequirementsDescription
Impossible travelA configured Access applicationUser has a successful login from two different locations that they could not have traveled between in that period of time. Matches will appear in your Access audit logs.
High number of DLP policies triggeredA configured DLP profileUser has created a high number of DLP policy matches within a narrow frame of time. Matches will appear in your Gateway activity logs.
SentinelOne threat detected on machineSentinelOne service provider integrationSentinelOne returns one or more configured device posture attributes for a user.

Manage risk behaviors

To toggle risk behaviors, go to Risk score > Risk behaviors.

Enable risk behaviors

When a specific behavior is enabled, Cloudflare One will continuously monitor all users within the organization for any instances of that behavior.

If a user engages in an enabled risk behavior, their risk level is re-evaluated. Cloudflare One will update their risk score to the highest value between the current risk level and the risk level of the behavior they triggered.

Disable risk behaviors

When a risk behavior is disabled, monitoring for future activity will cease. Previously detected risk behaviors will remain in the logs and associated with a user.

Change risk behavior risk levels

You can change the risk level for a behavior at any time.

  1. In Cloudflare One, go to Teams & Resources.
  2. Go to Users.
  3. Select Risk score > Risk behaviors.
  4. Select the risk behavior you want to modify.
  5. In the drop-down menu, choose your desired risk level.
  6. Select Save.