Querying Firewall Events with GraphQL

In this example, we're going to use the GraphQL Analytics API to query for Firewall Events over a specified time period.

The following API call will request Firewall Events over a one hour period, and output the requested fields. Be sure to replace CLOUDFLARE_ZONE_ID, CLOUDFLARE_EMAIL, and CLOUDFLARE_API_KEY with your zone tag and API credentials, and adjust the datetime_geg and datetime_leq values to your liking.

API Call

PAYLOAD='{ "query":
  "query ListFirewallEvents($zoneTag: string, $filter: FirewallEventsAdaptiveFilter_InputObject) {
      viewer {
        zones(filter: { zoneTag: $zoneTag }) {
          firewallEventsAdaptive(
            filter: $filter
            limit: 10
            orderBy: [datetime_DESC]
          ) {
            action
            clientAsn
            clientCountryName
            clientIP
            clientRequestPath
            clientRequestQuery
            datetime
            source
            userAgent
          }
        }
      }
    }",
    "variables": {
      "zoneTag": "CLOUDFLARE_ZONE_ID",
      "filter": {
        "datetime_geq": "2020-04-24T11:00:00Z",
        "datetime_leq": "2020-04-24T12:00:00Z"
      }
    }
  }'

curl \
  -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Email: CLOUDFLARE_EMAIL" \
  -H "X-Auth-key: CLOUDFLARE_API_KEY" \
  --data "$(echo $PAYLOAD)" \
  https://api.cloudflare.com/client/v4/graphql/

The results returned will be in JSON (as requested), so piping the output to jq will make them easier to read, e.g.,:

curl \
  -X POST \
  -H "Content-Type: application/json" \
  -H "X-Auth-Email: CLOUDFLARE_EMAIL" \
  -H "X-Auth-key: CLOUDFLARE_API_KEY" \
  --data "$(echo $PAYLOAD)" \
  https://api.cloudflare.com/client/v4/graphql/ | jq .
{
  "data": {
    "viewer": {
      "zones": [
        {
          "firewallEventsAdaptive": [
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "drop",
              "clientAsn": "5089",
              "clientCountryName": "GB",
              "clientIP": "203.0.113.69",
              "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:11:24Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "58224",
              "clientCountryName": "IR",
              "clientIP": "2.183.175.37",
              "clientRequestPath": "/api/v2",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:00:54Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
            },
            {
              "action": "log",
              "clientAsn": "58224",
              "clientCountryName": "IR",
              "clientIP": "2.183.175.37",
              "clientRequestPath": "/api/v2",
              "clientRequestQuery": "",
              "datetime": "2020-04-24T10:00:54Z",
              "source": "waf",
              "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
            }
          ]
        }
      ]
    }
  },
  "errors": null
}