cloudflare · maxvp · Aug 26, 2025 · Aug 25, 2025 · Aug 25, 2025 · Aug 25, 2025
@@ -0,0 +1,68 @@
+---
+pcx_content_type: reference
+title: Anthropic
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Anthropic",
+		integrationAccountType: "Anthropic account",
+	}}
+/>
+
+This integration covers the following Anthropic products:
+
+- Claude Console (organizations, workspaces/projects, users, invites)
+- Anthropic API Platform (organization and project API keys)
+
+## Integration prerequisites
+
+- An Anthropic [Team or Enterprise organization](https://www.anthropic.com/pricing#team-&-enterprise)
+- [Organization-level admin (or equivalent) privileges in Anthropic](https://support.anthropic.com/articles/10186004-api-console-roles-and-permissions) to view organization metadata and manage API keys
+
+## Integration permissions
+
+For the Anthropic integration to function, Cloudflare CASB requires authorization via **API keys**:
+
+- `Organization API key (organization-level)`: Grants read-only access to organization/workspace metadata, members and invites, and key metadata used for findings.
+- (Optional) `Project API key (project-level)`: Grants read-only access to project metadata and keys when you include project scopes in the scan.
+
+These credentials follow the principle of least privilege so that only the minimum required access is granted.
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{ integrationName: "Anthropic", slugRelativePath: "anthropic" }}
+/>
+
+### API key hygiene
+
+Detect API keys that may be unused or overdue for rotation.
+
+| Finding type              | FindingTypeID                          | Severity |
+| ------------------------- | -------------------------------------- | -------- |
+| Anthropic: Unused API key | `f343cd22-21f0-45a6-b6f7-39b1539a0f2b` | Medium   |
+
+### Access security
+
+Flag organization access issues to help enforce best practices.
+
+| Finding type                     | FindingTypeID                          | Severity |
+| -------------------------------- | -------------------------------------- | -------- |
+| Anthropic: High-privilege invite | `a435d091-3bb1-42e1-bc98-32d80c6340a5` | High     |
+| Anthropic: Stale pending invite  | `5667f7fa-4215-4a8e-80d7-4694ea33335b` | Low      |
+
+### Data Loss Prevention (optional)
+
+<Render file="casb/data-loss-prevention" product="cloudflare-one" />
+
+| Finding type                                        | FindingTypeID                          | Severity |
+| --------------------------------------------------- | -------------------------------------- | -------- |
+| Anthropic: Downloadable File with DLP Profile match | `74ec2a38-0e69-48d4-80ed-a8faad5f40ef` | High     |
@@ -0,0 +1,60 @@
+---
+pcx_content_type: reference
+title: Gemini for Google Workspace
+rss: file
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Gemini for Google Workspace",
+		integrationAccountType: "Google Workspace account",
+	}}
+/>
+
+## Integration prerequisites
+
+<Render file="casb/google/google-prereqs" product="cloudflare-one" />
+
+## Integration permissions
+
+<Render
+	file="casb/integration-perms"
+	product="cloudflare-one"
+	params={{
+		parentIntegration: "Google Workspace",
+		parentSlug: "google-workspace",
+	}}
+/>
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{
+		integrationName: "Gemini for Google Workspace",
+		slugRelativePath: "gemini",
+	}}
+/>
+
+### User account settings
+
+| Finding type                                                                             | FindingTypeID                          | Severity | Description                                                                                                  |
+| ---------------------------------------------------------------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------ |
+| Google Workspace: Admin user with Gemini license with two-factor authentication disabled | `27a0a9a0-13c6-4d8f-a67c-b455dd213cb9` | High     | An administrator with a Gemini for Google Workspace license does not have two-factor authentication enabled. |
+| Google Workspace: User with Gemini license with two-factor authentication disabled       | `c82024dc-b836-4b86-8c90-ab07971474e4` | Medium   | A user with a Gemini for Google Workspace license does not have two-factor authentication enabled.           |
+
+### Inactive or suspended users
+
+| Finding type                                                 | FindingTypeID                          | Severity | Description                                                                            |
+| ------------------------------------------------------------ | -------------------------------------- | -------- | -------------------------------------------------------------------------------------- |
+| Google Workspace: Admin user suspended with AI Ultra license | `ee7d4ed6-479f-404f-8dbd-f82dce2a0f66` | Low      | An administrator account with an AI Ultra (Gemini for Workspace) license is suspended. |
+| Google Workspace: User suspended with AI Ultra license       | `cf20e808-29ad-4026-a8f9-6ec3e069376c` | Low      | A user account with an AI Ultra (Gemini for Workspace) license is suspended.           |
+
+### Gemini licensing
+
+<Render file="casb/google/gemini-licensing" product="cloudflare-one" />
@@ -59,6 +59,10 @@ These permissions follow the principle of least privilege to ensure that only th
 
 <Render file="casb/google/inactive-suspended-users" product="cloudflare-one" />
 
+### Gemini licensing
+
+<Render file="casb/google/gemini-licensing" product="cloudflare-one" />
+
 ### File sharing
 
 <Render file="casb/google/file-sharing" product="cloudflare-one" />

@@ -0,0 +1,108 @@
+---
+pcx_content_type: reference
+title: OpenAI
+rss: file
+---
+
+import { Render } from "~/components";
+
+The OpenAI integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated OpenAI account that could leave you and your organization vulnerable.
+
+This integration covers the following OpenAI products:
+
+- ChatGPT Enterprise (Workspaces)
+- OpenAI Platform Projects (API keys)
+- GPTs (custom GPTs)
+
+:::note
+Before you begin, ensure that OpenAI has enabled ChatGPT Enterprise Compliance API access for your organization. You will need an Admin API key issued for your organization, your Organization ID, and your Workspace ID. These are available in your [ChatGPT Admin Settings](https://chatgpt.com/admin/settings).
+
+If Compliance API access is not yet turned on for your organization, refer to [Enable Compliance API access](#enable-combliane-api-access).
+:::
+
+## Integration prerequisites
+
+- An OpenAI organization with a ChatGPT Enterprise workspace
+- Organization-level admin privileges to create and manage Admin API keys
+- (Optional) A Project API key and the corresponding Project ID if you plan to include OpenAI Platform Projects in the scan scope
+
+### Enable Compliance API access
+
+Compliance API access is required to use the OpenAI CASB integration. To enable Compliance API access:
+
+1. Contact `[email protected]` to request access to the Compliance API for your organization and for the API key you will use with Cloudflare CASB. In your request, include:
+   - The last four characters of the API key
+   - The name of the API key
+   - The name of the user who created the key
+   - The requested scope (`read`, `write`, or both)
+2. OpenAI will verify the key and grant the requested Compliance API scopes.
+3. After the scopes are granted, [add the OpenAI integration to CASB](/cloudflare-one/applications/casb/#add-an-integration). When prompted, enter your Open AI Admin API key, Organization ID, and Workspace ID (available at `https://chatgpt.com/admin/settings`).
+
+For more information, refer to the [OpenAI Help Center](https://help.openai.com/articles/9261474-compliance-api-for-enterprise-customers).
+
+## Integration permissions
+
+For the OpenAI integration to function, Cloudflare CASB requires the following authorization via API keys:
+
+- `Admin API key (organization-level)`: Grants read-only access to organization/workspace metadata, GPTs, users, invites, and audit/compliance objects exposed by the ChatGPT Enterprise Compliance API.
+- (Optional) `Project API key (project-level)`: Grants read-only access to OpenAI Platform project metadata and keys.
+
+These credentials follow the principle of least privilege so that only the minimum required access is granted.
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	product="cloudflare-one"
+	params={{ integrationName: "OpenAI", slugRelativePath: "openai" }}
+/>
+
+### Model and tool governance
+
+Flag risky tool and capability settings on custom GPTs.
+
+| Finding type                              | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: GPT with Custom Actions enabled   | `5a2995f5-0cc1-4af3-9045-cdf7e6601f7b` | High     | ✅                          |
+| OpenAI: GPT with Code Interpreter enabled | `d368036a-be90-49f0-b7da-5092a3f8beb4` | Medium   | ✅                          |
+| OpenAI: GPT with web browsing enabled     | `3af14358-5ff2-4502-921e-7ffd9a310093` | Medium   | ✅                          |
+
+### Publishing and sharing
+
+Identify GPTs that are externally visible beyond your organization.
+
+| Finding type                                    | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: GPT publicly accessible via GPT Store   | `c69adfa6-2362-4939-86ec-49ff34093cfd` | High     | ✅                          |
+| OpenAI: GPT publicly accessible via public link | `de460c9f-55c0-4131-9cdf-e4c3b84f9549` | High     | ✅                          |
+
+### API key hygiene
+
+Detect API keys that may be stale, unused, or overdue for rotation.
+
+| Finding type                        | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: Admin API key not rotated   | `b72e971d-f5b9-4cf3-96f4-ef82bdf38453` | High     | ❌                          |
+| OpenAI: Project API key not rotated | `2c079fe8-6188-43e1-a2e5-d0e2dd8c7686` | High     | ❌                          |
+| OpenAI: Unused admin API key        | `49c75a36-1e64-437b-98a1-e54ec35d0a64` | Medium   | ❌                          |
+| OpenAI: Unused project API key      | `c8fd231b-de51-43cc-8c3f-e1e57114c5f5` | Medium   | ❌                          |
+
+### Access security
+
+Flag user/invite issues to help enforce best practices.
+
+| Finding type                  | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: High-privilege invite | `776ceb93-fa9a-4ca0-83db-668a67c09936` | High     | ❌                          |
+| OpenAI: Inactive user         | `20ab9ddb-fd48-46a8-9fdf-9bb9b9061f21` | Medium   | ❌                          |
+| OpenAI: Stale pending invite  | `18fd5b21-8489-485e-9c93-0bd4a696e724` | Low      | ❌                          |
+
+### Data Loss Prevention (optional)
+
+<Render file="casb/data-loss-prevention" product="cloudflare-one" />
+
+| Finding type                                                | FindingTypeID                          | Severity | ChatGPT Enterprise required |
+| ----------------------------------------------------------- | -------------------------------------- | -------- | --------------------------- |
+| OpenAI: File in ChatGPT Conversation with DLP Profile match | `9aca654d-b331-4052-a5b4-2ceecced8676` | High     | ✅                          |
+| OpenAI: File in ChatGPT GPT with DLP Profile match          | `520200f5-7dcc-42c9-bc3c-423019159d45` | High     | ✅                          |
+| OpenAI: File in ChatGPT Project with DLP Profile match      | `8e46ec69-e5c1-4f53-ab00-a92f2050ec33` | High     | ❌                          |
@@ -0,0 +1,8 @@
+---
+{}
+---
+
+| Finding type                                       | FindingTypeID                          | Severity | Description                                                                                  |
+| -------------------------------------------------- | -------------------------------------- | -------- | -------------------------------------------------------------------------------------------- |
+| Google Workspace: Admin user with AI Ultra license | `62fa682a-c2b5-4d5a-a086-8e60bed804d3` | Low      | An administrator in Google Workspace is assigned an AI Ultra (Gemini for Workspace) license. |
+| Google Workspace: User with AI Ultra license       | `5b847ed3-6c02-4963-a1ab-82a4aa2b6c64` | Low      | A user in Google Workspace is assigned an AI Ultra (Gemini for Workspace) license.           |
@@ -2,9 +2,11 @@
 {}
 ---
 
-| Finding type                           | FindingTypeID                          | Severity | Description                                                                 |
-| -------------------------------------- | -------------------------------------- | -------- | --------------------------------------------------------------------------- |
-| Google Workspace: Inactive admin user  | `391ee66d-10e0-4b26-91b3-741a2a4c39d0` | Medium   | An administrator account in Google Workspace has not logged in for 30 days. |
-| Google Workspace: Suspended admin user | `31e02a11-aa3b-4278-97d3-9c0f7e8fd2c7` | Medium   | An administrator account in Google Workspace is suspended.                  |
-| Google Workspace: Inactive user        | `7c098546-2e67-4f01-9fb7-bd48412bd178` | Low      | A user account in Google Workspace has not logged in for 30 days.           |
-| Google Workspace: Suspended user       | `84f514e3-f12d-49e5-bdfe-9073e336d89e` | Low      | A user account in Google Workspace is suspended.                            |
+| Finding type                                                 | FindingTypeID                          | Severity | Description                                                                                                |
+| ------------------------------------------------------------ | -------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------- |
+| Google Workspace: Inactive admin user                        | `391ee66d-10e0-4b26-91b3-741a2a4c39d0` | Medium   | An administrator account in Google Workspace has not logged in for 30 days.                                |
+| Google Workspace: Suspended admin user                       | `31e02a11-aa3b-4278-97d3-9c0f7e8fd2c7` | Medium   | An administrator account in Google Workspace is suspended.                                                 |
+| Google Workspace: Inactive user                              | `7c098546-2e67-4f01-9fb7-bd48412bd178` | Low      | A user account in Google Workspace has not logged in for 30 days.                                          |
+| Google Workspace: Suspended user                             | `84f514e3-f12d-49e5-bdfe-9073e336d89e` | Low      | A user account in Google Workspace is suspended.                                                           |
+| Google Workspace: Admin user suspended with AI Ultra license | `ee7d4ed6-479f-404f-8dbd-f82dce2a0f66` | Low      | An administrator account in Google Workspace with an AI Ultra (Gemini for Workspace) license is suspended. |
+| Google Workspace: User suspended with AI Ultra license       | `cf20e808-29ad-4026-a8f9-6ec3e069376c` | Low      | A user account in Google Workspace with an AI Ultra (Gemini for Workspace) license is suspended.           |
@@ -2,9 +2,11 @@
 {}
 ---
 
-| Finding type                                                         | FindingTypeID                          | Severity | Description                                                                           |
-| -------------------------------------------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------- |
-| Google Workspace: Admin user with two-factor authentication disabled | `5f7c1f62-0ac6-4422-b3d3-d0566dd4e3f2` | Critical | An administrator in Google Workspace does not have two-factor authentication enabled. |
-| Google Workspace: User with two-factor authentication disabled       | `739e1965-2ab4-4946-8a56-73fd75154efa` | High     | A user in Google Workspace does not have two-factor authentication enabled.           |
-| Google Workspace: User without recovery email                        | `2e2383bb-51e8-47fc-8ba7-2dd255c2545f` | Low      | A user in Google Workspace does not have a recovery email set.                        |
-| Google Workspace: User without recovery phone number                 | `ec326c68-f331-4597-9ec4-43dc197c86f4` | Low      | A user in Google Workspace does not have a recovery phone number set.                 |
+| Finding type                                                                             | FindingTypeID                          | Severity | Description                                                                                                  |
+| ---------------------------------------------------------------------------------------- | -------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------ |
+| Google Workspace: Admin user with two-factor authentication disabled                     | `5f7c1f62-0ac6-4422-b3d3-d0566dd4e3f2` | Critical | An administrator in Google Workspace does not have two-factor authentication enabled.                        |
+| Google Workspace: User with two-factor authentication disabled                           | `739e1965-2ab4-4946-8a56-73fd75154efa` | High     | A user in Google Workspace does not have two-factor authentication enabled.                                  |
+| Google Workspace: Admin user with Gemini license with two-factor authentication disabled | `27a0a9a0-13c6-4d8f-a67c-b455dd213cb9` | High     | An administrator with a Gemini for Google Workspace license does not have two-factor authentication enabled. |
+| Google Workspace: User with Gemini license with two-factor authentication disabled       | `c82024dc-b836-4b86-8c90-ab07971474e4` | Medium   | A user with a Gemini for Google Workspace license does not have two-factor authentication enabled.           |
+| Google Workspace: User without recovery email                                            | `2e2383bb-51e8-47fc-8ba7-2dd255c2545f` | Low      | A user in Google Workspace does not have a recovery email set.                                               |
+| Google Workspace: User without recovery phone number                                     | `ec326c68-f331-4597-9ec4-43dc197c86f4` | Low      | A user in Google Workspace does not have a recovery phone number set.                                        |