API Reference

Cloudforce One

Threat Events

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Filter and list events

client.CloudforceOne.ThreatEvents.List(ctx, params) (*[]ThreatEventListResponse, error)

GET/accounts/{account_id}/cloudforce-one/events

When datasetId is unspecified, events will be listed from the Cloudforce One Threat Events dataset. To list existing datasets (and their IDs), use the List Datasets endpoint). Also, must provide query parameters.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

Accepted Permissions (at least one required)

Cloudforce One WriteCloudforce One Read

ParametersExpand Collapse

params ThreatEventListParams

AccountID param.Field[string]

Path param: Account ID.

Cursor param.Field[string]optional

Query param: Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance.

DatasetID param.Field[[]string]optional

Query param

ForceRefresh param.Field[bool]optional

Query param

Format param.Field[ThreatEventListParamsFormat]optional

Query param

const ThreatEventListParamsFormatJson ThreatEventListParamsFormat = "json"

const ThreatEventListParamsFormatStix2 ThreatEventListParamsFormat = "stix2"

Order param.Field[ThreatEventListParamsOrder]optional

Query param

const ThreatEventListParamsOrderAsc ThreatEventListParamsOrder = "asc"

const ThreatEventListParamsOrderDesc ThreatEventListParamsOrder = "desc"

OrderBy param.Field[string]optional

Query param

Page param.Field[float64]optional

Query param: Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead.

PageSize param.Field[float64]optional

Query param: Number of results per page. Maximum 25,000.

Search param.Field[[]ThreatEventListParamsSearch]optional

Query param

Field stringoptional

Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid.

Op ThreatEventListParamsSearchOpoptional

Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}.

One of the following:

const ThreatEventListParamsSearchOpEquals ThreatEventListParamsSearchOp = "equals"

const ThreatEventListParamsSearchOpNot ThreatEventListParamsSearchOp = "not"

const ThreatEventListParamsSearchOpGt ThreatEventListParamsSearchOp = "gt"

const ThreatEventListParamsSearchOpGte ThreatEventListParamsSearchOp = "gte"

const ThreatEventListParamsSearchOpLt ThreatEventListParamsSearchOp = "lt"

const ThreatEventListParamsSearchOpLte ThreatEventListParamsSearchOp = "lte"

const ThreatEventListParamsSearchOpLike ThreatEventListParamsSearchOp = "like"

const ThreatEventListParamsSearchOpContains ThreatEventListParamsSearchOp = "contains"

const ThreatEventListParamsSearchOpStartsWith ThreatEventListParamsSearchOp = "startsWith"

const ThreatEventListParamsSearchOpEndsWith ThreatEventListParamsSearchOp = "endsWith"

const ThreatEventListParamsSearchOpIn ThreatEventListParamsSearchOp = "in"

const ThreatEventListParamsSearchOpFind ThreatEventListParamsSearchOp = "find"

Value ThreatEventListParamsSearchValueUnionoptional

Search value. String or number for most operators. Array for 'in' operator (max 100 items).

One of the following:

UnionString

UnionFloat

type ThreatEventListParamsSearchValueArray []ThreatEventListParamsSearchValueArrayUnion

One of the following:

UnionString

UnionFloat

ReturnsExpand Collapse

type ThreatEventListResponse []ThreatEventListResponse

Attacker string

AttackerCountry string

Category string

DatasetID string

Date string

Event string

HasChildren bool

Indicator string

IndicatorType string

IndicatorTypeID float64

KillChain float64

MitreAttack []string

MitreCapec []string

NumReferenced float64

NumReferences float64

RawID string

Referenced []string

ReferencedIDs []float64

References []string

ReferencesIDs []float64

Tags []string

TargetCountry string

TargetIndustry string

TLP string

UUID string

Insight stringoptional

ReleasabilityID stringoptional

Filter and list events

Go

HTTP

TypeScript

Python

Go

Terraform

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/cloudforce_one"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  threatEvents, err := client.CloudforceOne.ThreatEvents.List(context.TODO(), cloudforce_one.ThreatEventListParams{
    AccountID: cloudflare.F("account_id"),
  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", threatEvents)
}

200 example

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]

Returns Examples

200 example

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]