Cloudflare Docs
Analytics
Analytics
Edit this page on GitHub
Set theme to dark (⇧+D)

Querying Firewall Events with GraphQL

In this example, we are going to use the GraphQL Analytics API to query for Firewall Events over a specified time period.

The following API call will request Firewall Events over a one hour period, and output the requested fields. Be sure to replace CLOUDFLARE_ZONE_ID, CLOUDFLARE_EMAIL, and CLOUDFLARE_API_KEY with your zone tag and API credentials, and adjust the datetime_geg and datetime_leq values to your liking.

​​ API Call

echo '{ "query":
"query ListFirewallEvents($zoneTag: string, $filter: FirewallEventsAdaptiveFilter_InputObject) {
viewer {
zones(filter: { zoneTag: $zoneTag }) {
firewallEventsAdaptive(
filter: $filter
limit: 10
orderBy: [datetime_DESC]
) {
action
clientAsn
clientCountryName
clientIP
clientRequestPath
clientRequestQuery
datetime
source
userAgent
}
}
}
}",
"variables": {
"zoneTag": "CLOUDFLARE_ZONE_ID",
"filter": {
"datetime_geq": "2022-07-24T11:00:00Z",
"datetime_leq": "2022-07-24T12:00:00Z"
}
}
}' | tr -d '\n' | curl \
-X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Email: CLOUDFLARE_EMAIL" \
-H "X-Auth-key: CLOUDFLARE_API_KEY" \
-s \
-d @- \
https://api.cloudflare.com/client/v4/graphql/

The results returned will be in JSON (as requested), so piping the output to jq will make them easier to read, for example:

... | curl \
-X POST \
-H "Content-Type: application/json" \
-H "X-Auth-Email: CLOUDFLARE_EMAIL" \
-H "X-Auth-key: CLOUDFLARE_API_KEY" \
-s \
-d @- \
https://api.cloudflare.com/client/v4/graphql/ | jq .
#=> {
#=> "data": {
#=> "viewer": {
#=> "zones": [
#=> {
#=> "firewallEventsAdaptive": [
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "block",
#=> "clientAsn": "5089",
#=> "clientCountryName": "GB",
#=> "clientIP": "203.0.113.69",
#=> "clientRequestPath": "/%3Cscript%3Ealert()%3C/script%3E",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:11:24Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "58224",
#=> "clientCountryName": "IR",
#=> "clientIP": "2.183.175.37",
#=> "clientRequestPath": "/api/v2",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:00:54Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
#=> },
#=> {
#=> "action": "log",
#=> "clientAsn": "58224",
#=> "clientCountryName": "IR",
#=> "clientIP": "2.183.175.37",
#=> "clientRequestPath": "/api/v2",
#=> "clientRequestQuery": "",
#=> "datetime": "2020-04-24T10:00:54Z",
#=> "source": "waf",
#=> "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
#=> }
#=> ]
#=> }
#=> ]
#=> }
#=> },
#=> "errors": null
#=> }