Skip to content
Cloudflare API
Start here
API Reference
Cloudforce One
Threat Events

Filter and list events

client.CloudforceOne.ThreatEvents.List(ctx, params) (*[]ThreatEventListResponse, error)
GET/accounts/{account_id}/cloudforce-one/events

Use datasetId=all or datasetId=* to query all event datasets for the account (limited to 10). When datasetId is unspecified, events are listed from the default Cloudforce One Threat Events dataset. To list existing datasets, use the List Datasets endpoint.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
Accepted Permissions (at least one required)
Cloudforce One WriteCloudforce One Read
ParametersExpand Collapse
params ThreatEventListParams
AccountID param.Field[string]

Path param: Account ID.

Cursor param.Field[string]Optional

Query param: Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response’s result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance.

DatasetID param.Field[[]string]Optional

Query param: Dataset IDs to query events from (array of UUIDs), or special value ‘all’ or ’*’ to query all event datasets for the account. If not provided, uses the default dataset.

ForceRefresh param.Field[bool]Optional

Query param

Format param.Field[ThreatEventListParamsFormat]Optional

Query param

const ThreatEventListParamsFormatJson ThreatEventListParamsFormat = "json"
const ThreatEventListParamsFormatStix2 ThreatEventListParamsFormat = "stix2"
const ThreatEventListParamsFormatTaxii ThreatEventListParamsFormat = "taxii"
Order param.Field[ThreatEventListParamsOrder]Optional

Query param

const ThreatEventListParamsOrderAsc ThreatEventListParamsOrder = "asc"
const ThreatEventListParamsOrderDesc ThreatEventListParamsOrder = "desc"
OrderBy param.Field[string]Optional

Query param

Page param.Field[float64]Optional

Query param: Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead.

PageSize param.Field[float64]Optional

Query param: Number of results per page. Maximum 25,000.

One of the following:
One of the following:
One of the following:
ReturnsExpand Collapse
type ThreatEventListResponse []ThreatEventListResponse
Attacker string
AttackerCountry string
Category string
DatasetID string
Date string
Event string
HasChildren bool
Indicator string
IndicatorType string
IndicatorTypeID float64
KillChain float64
MitreAttack []string
MitreCapec []string
NumReferenced float64
NumReferences float64
RawID string
Referenced []string
ReferencedIDs []float64
References []string
ReferencesIDs []float64
Tags []string
TargetCountry string
TargetIndustry string
TLP string
UUID string
Insight stringOptional
ReleasabilityID stringOptional

Filter and list events

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/cloudforce_one"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  threatEvents, err := client.CloudforceOne.ThreatEvents.List(context.TODO(), cloudforce_one.ThreatEventListParams{
    AccountID: cloudflare.F("account_id"),
  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", threatEvents)
}

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]
Returns Examples
[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]