# Threat Events ## Filter and list events `client.cloudforceOne.threatEvents.list(ThreatEventListParamsparams, RequestOptionsoptions?): ThreatEventListResponse` **get** `/accounts/{account_id}/cloudforce-one/events` When `datasetId` is unspecified, events will be listed from the `Cloudforce One Threat Events` dataset. To list existing datasets (and their IDs), use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint). Also, must provide query parameters. ### Parameters - `params: ThreatEventListParams` - `account_id: string` Path param: Account ID. - `cursor?: string` Query param: Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance. - `datasetId?: Array` Query param - `forceRefresh?: boolean` Query param - `format?: "json" | "stix2"` Query param - `"json"` - `"stix2"` - `order?: "asc" | "desc"` Query param - `"asc"` - `"desc"` - `orderBy?: string` Query param - `page?: number` Query param: Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead. - `pageSize?: number` Query param: Number of results per page. Maximum 25,000. - `search?: Array` Query param - `field?: string` Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid. - `op?: "equals" | "not" | "gt" | 9 more` Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}. - `"equals"` - `"not"` - `"gt"` - `"gte"` - `"lt"` - `"lte"` - `"like"` - `"contains"` - `"startsWith"` - `"endsWith"` - `"in"` - `"find"` - `value?: string | number | Array` Search value. String or number for most operators. Array for 'in' operator (max 100 items). - `string` - `number` - `Array` - `string` - `number` ### Returns - `ThreatEventListResponse = Array` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const threatEvents = await client.cloudforceOne.threatEvents.list({ account_id: 'account_id' }); console.log(threatEvents); ``` #### Response ```json [ { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ] ``` ## Reads an event `client.cloudforceOne.threatEvents.get(stringeventId, ThreatEventGetParamsparams, RequestOptionsoptions?): ThreatEventGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}` This Method is deprecated. Please use /events/dataset/:dataset_id/events/:event_id instead. ### Parameters - `eventId: string` Event UUID. - `params: ThreatEventGetParams` - `account_id: string` Account ID. ### Returns - `ThreatEventGetResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const threatEvent = await client.cloudforceOne.threatEvents.get('event_id', { account_id: 'account_id', }); console.log(threatEvent.uuid); ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates a new event `client.cloudforceOne.threatEvents.create(ThreatEventCreateParamsparams, RequestOptionsoptions?): ThreatEventCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/create` To create a dataset, see the [`Create Dataset`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/create/) endpoint. When `datasetId` parameter is unspecified, it will be created in a default dataset named `Cloudforce One Threat Events`. ### Parameters - `params: ThreatEventCreateParams` - `account_id: string` Path param: Account ID. - `category: string` Body param - `date: string` Body param - `event: string` Body param - `raw: Raw` Body param - `data: Record | null` - `source?: string` - `tlp?: string` - `tlp: string` Body param - `accountId?: number` Body param - `attacker?: string | null` Body param - `attackerCountry?: string` Body param - `datasetId?: string` Body param - `indicator?: string` Body param - `indicators?: Array` Body param: Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicatorType: string` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: string` The indicator value (e.g., domain name, IP address, hash) - `indicatorType?: string` Body param - `insight?: string` Body param - `tags?: Array` Body param - `targetCountry?: string` Body param - `targetIndustry?: string` Body param ### Returns - `ThreatEventCreateResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const threatEvent = await client.cloudforceOne.threatEvents.create({ account_id: 'account_id', category: 'Domain Resolution', date: '2022-04-01T00:00:00Z', event: 'An attacker registered the domain domain.com', raw: { data: { foo: 'bar' } }, tlp: 'amber', }); console.log(threatEvent.uuid); ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Updates an event `client.cloudforceOne.threatEvents.edit(stringeventId, ThreatEventEditParamsparams, RequestOptionsoptions?): ThreatEventEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}` Updates an event ### Parameters - `eventId: string` Event UUID. - `params: ThreatEventEditParams` - `account_id: string` Path param: Account ID. - `datasetId: string` Body param: Dataset ID containing the event to update. - `attacker?: string | null` Body param - `attackerCountry?: string` Body param - `category?: string` Body param - `createdAt?: string` Body param - `date?: string` Body param - `event?: string` Body param - `indicator?: string` Body param - `indicatorType?: string` Body param - `insight?: string` Body param - `raw?: Raw` Body param - `data?: Record | null` - `source?: string` - `tlp?: string` - `targetCountry?: string` Body param - `targetIndustry?: string` Body param - `tlp?: string` Body param ### Returns - `ThreatEventEditResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.edit('event_id', { account_id: 'account_id', datasetId: '9b769969-a211-466c-8ac3-cb91266a066a', }); console.log(response.uuid); ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates bulk events `client.cloudforceOne.threatEvents.bulkCreate(ThreatEventBulkCreateParamsparams, RequestOptionsoptions?): ThreatEventBulkCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/create/bulk` The `datasetId` parameter must be defined. To list existing datasets (and their IDs) in your account, use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint. ### Parameters - `params: ThreatEventBulkCreateParams` - `account_id: string` Path param: Account ID. - `data: Array` Body param - `category: string` - `date: string` - `event: string` - `raw: Raw` - `data: Record | null` - `source?: string` - `tlp?: string` - `tlp: string` - `accountId?: number` - `attacker?: string | null` - `attackerCountry?: string` - `datasetId?: string` - `indicator?: string` - `indicators?: Array` Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicatorType: string` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: string` The indicator value (e.g., domain name, IP address, hash) - `indicatorType?: string` - `insight?: string` - `tags?: Array` - `targetCountry?: string` - `targetIndustry?: string` - `datasetId: string` Body param - `includeCreatedEvents?: boolean` Body param: When true, response includes array of created event UUIDs and shard IDs. Useful for tracking which events were created and where. ### Returns - `ThreatEventBulkCreateResponse` Detailed result of bulk event creation with auto-tag management - `createdEventsCount: number` Number of events created - `createdTagsCount: number` Number of new tags created in SoT - `errorCount: number` Number of errors encountered - `queuedIndicatorsCount: number` Number of indicators queued for async processing - `createBulkEventsRequestId?: string` Correlation ID for async indicator processing - `createdEvents?: Array` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `eventIndex: number` Original index in the input data array - `shardId: string` Dataset ID of the shard where the event was created - `uuid: string` UUID of the created event - `errors?: Array` Array of error details - `error: string` Error message - `eventIndex: number` Index of the event that caused the error ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.bulkCreate({ account_id: 'account_id', data: [ { category: 'Domain Resolution', date: '2022-04-01T00:00:00Z', event: 'An attacker registered the domain domain.com', raw: { data: { foo: 'bar' } }, tlp: 'amber', }, ], datasetId: 'durableObjectName', }); console.log(response.createdEventsCount); ``` #### Response ```json { "createdEventsCount": 0, "createdTagsCount": 0, "errorCount": 0, "queuedIndicatorsCount": 0, "createBulkEventsRequestId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "createdEvents": [ { "eventIndex": 0, "shardId": "shardId", "uuid": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "errors": [ { "error": "error", "eventIndex": 0 } ] } ``` ## Domain Types ### Threat Event List Response - `ThreatEventListResponse = Array` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Threat Event Get Response - `ThreatEventGetResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Threat Event Create Response - `ThreatEventCreateResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Threat Event Edit Response - `ThreatEventEditResponse` - `attacker: string` - `attackerCountry: string` - `category: string` - `datasetId: string` - `date: string` - `event: string` - `hasChildren: boolean` - `indicator: string` - `indicatorType: string` - `indicatorTypeId: number` - `killChain: number` - `mitreAttack: Array` - `mitreCapec: Array` - `numReferenced: number` - `numReferences: number` - `rawId: string` - `referenced: Array` - `referencedIds: Array` - `references: Array` - `referencesIds: Array` - `tags: Array` - `targetCountry: string` - `targetIndustry: string` - `tlp: string` - `uuid: string` - `insight?: string` - `releasabilityId?: string` ### Threat Event Bulk Create Response - `ThreatEventBulkCreateResponse` Detailed result of bulk event creation with auto-tag management - `createdEventsCount: number` Number of events created - `createdTagsCount: number` Number of new tags created in SoT - `errorCount: number` Number of errors encountered - `queuedIndicatorsCount: number` Number of indicators queued for async processing - `createBulkEventsRequestId?: string` Correlation ID for async indicator processing - `createdEvents?: Array` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `eventIndex: number` Original index in the input data array - `shardId: string` Dataset ID of the shard where the event was created - `uuid: string` UUID of the created event - `errors?: Array` Array of error details - `error: string` Error message - `eventIndex: number` Index of the event that caused the error # Attackers ## Lists attackers across multiple datasets `client.cloudforceOne.threatEvents.attackers.list(AttackerListParamsparams, RequestOptionsoptions?): AttackerListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/attackers` Lists attackers across multiple datasets ### Parameters - `params: AttackerListParams` - `account_id: string` Path param: Account ID. - `datasetIds?: Array` Query param: Array of dataset IDs to query attackers from. If not provided, uses the default dataset. ### Returns - `AttackerListResponse` - `items: Items` - `type: string` - `type: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const attackers = await client.cloudforceOne.threatEvents.attackers.list({ account_id: 'account_id', }); console.log(attackers.items); ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Attacker List Response - `AttackerListResponse` - `items: Items` - `type: string` - `type: string` # Categories ## Lists categories across multiple datasets `client.cloudforceOne.threatEvents.categories.list(CategoryListParamsparams, RequestOptionsoptions?): CategoryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/categories` Lists categories across multiple datasets ### Parameters - `params: CategoryListParams` - `account_id: string` Path param: Account ID. - `datasetIds?: Array` Query param: Array of dataset IDs to query categories from. If not provided, uses the default dataset. ### Returns - `CategoryListResponse = Array` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const categories = await client.cloudforceOne.threatEvents.categories.list({ account_id: 'account_id', }); console.log(categories); ``` #### Response ```json [ { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ] ``` ## Reads a category `client.cloudforceOne.threatEvents.categories.get(stringcategoryId, CategoryGetParamsparams, RequestOptionsoptions?): CategoryGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Reads a category ### Parameters - `categoryId: string` Category UUID. - `params: CategoryGetParams` - `account_id: string` Account ID. ### Returns - `CategoryGetResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const category = await client.cloudforceOne.threatEvents.categories.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(category.uuid); ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Creates a new category `client.cloudforceOne.threatEvents.categories.create(CategoryCreateParamsparams, RequestOptionsoptions?): CategoryCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/categories/create` Creates a new category ### Parameters - `params: CategoryCreateParams` - `account_id: string` Path param: Account ID. - `killChain: number` Body param - `name: string` Body param - `mitreAttack?: Array` Body param - `mitreCapec?: Array` Body param - `shortname?: string` Body param ### Returns - `CategoryCreateResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const category = await client.cloudforceOne.threatEvents.categories.create({ account_id: 'account_id', killChain: 0, name: 'name', }); console.log(category.uuid); ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Updates a category `client.cloudforceOne.threatEvents.categories.edit(stringcategoryId, CategoryEditParamsparams, RequestOptionsoptions?): CategoryEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Updates a category ### Parameters - `categoryId: string` Category UUID. - `params: CategoryEditParams` - `account_id: string` Path param: Account ID. - `killChain?: number` Body param - `mitreAttack?: Array` Body param - `mitreCapec?: Array` Body param - `name?: string` Body param - `shortname?: string` Body param ### Returns - `CategoryEditResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.categories.edit( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(response.uuid); ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Deletes a category `client.cloudforceOne.threatEvents.categories.delete(stringcategoryId, CategoryDeleteParamsparams, RequestOptionsoptions?): CategoryDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Deletes a category ### Parameters - `categoryId: string` Category UUID. - `params: CategoryDeleteParams` - `account_id: string` Account ID. ### Returns - `CategoryDeleteResponse` - `uuid: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const category = await client.cloudforceOne.threatEvents.categories.delete( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(category.uuid); ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Domain Types ### Category List Response - `CategoryListResponse = Array` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Category Get Response - `CategoryGetResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Category Create Response - `CategoryCreateResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Category Edit Response - `CategoryEditResponse` - `killChain: number` - `name: string` - `uuid: string` - `mitreAttack?: Array` - `mitreCapec?: Array` - `shortname?: string` ### Category Delete Response - `CategoryDeleteResponse` - `uuid: string` # Countries ## Retrieves countries information for all countries `client.cloudforceOne.threatEvents.countries.list(CountryListParamsparams, RequestOptionsoptions?): CountryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/countries` Retrieves countries information for all countries ### Parameters - `params: CountryListParams` - `account_id: string` Account ID. ### Returns - `CountryListResponse = Array` - `result: Array` - `alpha3: string` - `name: string` - `success: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const countries = await client.cloudforceOne.threatEvents.countries.list({ account_id: 'account_id', }); console.log(countries); ``` #### Response ```json [ { "result": [ { "alpha3": "AF", "name": "Afghanistan" } ], "success": "true" } ] ``` ## Domain Types ### Country List Response - `CountryListResponse = Array` - `result: Array` - `alpha3: string` - `name: string` - `success: string` # Crons # Datasets ## Lists all datasets in an account `client.cloudforceOne.threatEvents.datasets.list(DatasetListParamsparams, RequestOptionsoptions?): DatasetListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/dataset` Lists all datasets in an account ### Parameters - `params: DatasetListParams` - `account_id: string` Account ID. ### Returns - `DatasetListResponse = Array` - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const datasets = await client.cloudforceOne.threatEvents.datasets.list({ account_id: 'account_id', }); console.log(datasets); ``` #### Response ```json [ { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ] ``` ## Reads a dataset `client.cloudforceOne.threatEvents.datasets.get(stringdatasetId, DatasetGetParamsparams, RequestOptionsoptions?): DatasetGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Reads a dataset ### Parameters - `datasetId: string` Dataset ID. - `params: DatasetGetParams` - `account_id: string` Account ID. ### Returns - `DatasetGetResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const dataset = await client.cloudforceOne.threatEvents.datasets.get( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id' }, ); console.log(dataset.uuid); ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Creates a dataset `client.cloudforceOne.threatEvents.datasets.create(DatasetCreateParamsparams, RequestOptionsoptions?): DatasetCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/dataset/create` Creates a dataset ### Parameters - `params: DatasetCreateParams` - `account_id: string` Path param: Account ID. - `isPublic: boolean` Body param: If true, then anyone can search the dataset. If false, then its limited to the account. - `name: string` Body param: Used to describe the dataset within the account context. ### Returns - `DatasetCreateResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const dataset = await client.cloudforceOne.threatEvents.datasets.create({ account_id: 'account_id', isPublic: true, name: 'x', }); console.log(dataset.uuid); ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Updates an existing dataset `client.cloudforceOne.threatEvents.datasets.edit(stringdatasetId, DatasetEditParamsparams, RequestOptionsoptions?): DatasetEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Updates an existing dataset ### Parameters - `datasetId: string` Dataset ID. - `params: DatasetEditParams` - `account_id: string` Path param: Account ID. - `isPublic: boolean` Body param: If true, then anyone can search the dataset. If false, then its limited to the account. - `name: string` Body param: Used to describe the dataset within the account context. ### Returns - `DatasetEditResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.datasets.edit( '182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e', { account_id: 'account_id', isPublic: true, name: 'x', }, ); console.log(response.uuid); ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Reads raw data for an event by UUID `client.cloudforceOne.threatEvents.datasets.raw(stringdatasetId, stringeventId, DatasetRawParamsparams, RequestOptionsoptions?): DatasetRawResponse` **get** `/accounts/{account_id}/cloudforce-one/events/raw/{dataset_id}/{event_id}` Retrieves the raw data associated with an event. Searches across all shards in the dataset. ### Parameters - `datasetId: string` Dataset ID. - `eventId: string` Event ID. - `params: DatasetRawParams` - `account_id: string` Account ID. ### Returns - `DatasetRawResponse` - `id: number` - `accountId: number` - `created: string` - `data: string` - `source: string` - `tlp: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.datasets.raw('dataset_id', 'event_id', { account_id: 'account_id', }); console.log(response.id); ``` #### Response ```json { "id": 1, "accountId": 1234, "created": "1970-01-01T00:00:00.000Z", "data": "{\"foo\": \"bar\"}", "source": "https://example.com", "tlp": "amber" } ``` ## Domain Types ### Dataset List Response - `DatasetListResponse = Array` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Get Response - `DatasetGetResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Create Response - `DatasetCreateResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Edit Response - `DatasetEditResponse` - `isPublic: boolean` - `name: string` - `uuid: string` ### Dataset Raw Response - `DatasetRawResponse` - `id: number` - `accountId: number` - `created: string` - `data: string` - `source: string` - `tlp: string` # Health # Indicator Types ## Lists all indicator types `client.cloudforceOne.threatEvents.indicatorTypes.list(IndicatorTypeListParamsparams, RequestOptionsoptions?): IndicatorTypeListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/indicatorTypes` This Method is deprecated. Please use /events/dataset/:dataset_id/indicatorTypes instead. ### Parameters - `params: IndicatorTypeListParams` - `account_id: string` Account ID. ### Returns - `IndicatorTypeListResponse` - `items: Items` - `type: string` - `type: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const indicatorTypes = await client.cloudforceOne.threatEvents.indicatorTypes.list({ account_id: 'account_id', }); console.log(indicatorTypes.items); ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Indicator Type List Response - `IndicatorTypeListResponse` - `items: Items` - `type: string` - `type: string` # Raw ## Reads data for a raw event `client.cloudforceOne.threatEvents.raw.get(stringeventId, stringrawId, RawGetParamsparams, RequestOptionsoptions?): RawGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Reads data for a raw event ### Parameters - `eventId: string` Event UUID. - `rawId: string` Raw Event UUID. - `params: RawGetParams` - `account_id: string` Account ID. ### Returns - `RawGetResponse` - `id: string` - `accountId: number` - `created: string` - `data: unknown` - `source: string` - `tlp: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const raw = await client.cloudforceOne.threatEvents.raw.get('event_id', 'raw_id', { account_id: 'account_id', }); console.log(raw.id); ``` #### Response ```json { "id": "1234", "accountId": 1234, "created": "1970-01-01", "data": {}, "source": "https://example.com", "tlp": "amber" } ``` ## Updates a raw event `client.cloudforceOne.threatEvents.raw.edit(stringeventId, stringrawId, RawEditParamsparams, RequestOptionsoptions?): RawEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Updates a raw event ### Parameters - `eventId: string` Event UUID. - `rawId: string` Raw Event UUID. - `params: RawEditParams` - `account_id: string` Path param: Account ID. - `data?: unknown` Body param - `source?: string` Body param - `tlp?: string` Body param ### Returns - `RawEditResponse` - `id: string` - `data: unknown` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const response = await client.cloudforceOne.threatEvents.raw.edit('event_id', 'raw_id', { account_id: 'account_id', }); console.log(response.id); ``` #### Response ```json { "id": "1234", "data": {} } ``` ## Domain Types ### Raw Get Response - `RawGetResponse` - `id: string` - `accountId: number` - `created: string` - `data: unknown` - `source: string` - `tlp: string` ### Raw Edit Response - `RawEditResponse` - `id: string` - `data: unknown` # Relate ## Removes an event reference `client.cloudforceOne.threatEvents.relate.delete(stringeventId, RelateDeleteParamsparams, RequestOptionsoptions?): RelateDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/relate/{event_id}` Removes an event reference ### Parameters - `eventId: string` Event UUID. - `params: RelateDeleteParams` - `account_id: string` Account ID. ### Returns - `RelateDeleteResponse` - `success: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const relate = await client.cloudforceOne.threatEvents.relate.delete('event_id', { account_id: 'account_id', }); console.log(relate.success); ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Relate Delete Response - `RelateDeleteResponse` - `success: boolean` # Tags ## Creates a new tag `client.cloudforceOne.threatEvents.tags.create(TagCreateParamsparams, RequestOptionsoptions?): TagCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/tags/create` Creates a new tag to be used accross threat events. ### Parameters - `params: TagCreateParams` - `account_id: string` Path param: Account ID. - `value: string` Body param - `activeDuration?: string` Body param - `actorCategory?: string` Body param - `aliasGroupNames?: Array` Body param - `aliasGroupNamesInternal?: Array` Body param - `analyticPriority?: number` Body param - `attributionConfidence?: string` Body param - `attributionOrganization?: string` Body param - `categoryUuid?: string` Body param - `externalReferenceLinks?: Array` Body param - `internalDescription?: string` Body param - `motive?: string` Body param - `opsecLevel?: string` Body param - `originCountryISO?: string` Body param - `priority?: number` Body param - `sophisticationLevel?: string` Body param ### Returns - `TagCreateResponse` - `uuid: string` - `value: string` - `activeDuration?: string` - `actorCategory?: string` - `aliasGroupNames?: Array` - `aliasGroupNamesInternal?: Array` - `analyticPriority?: number` - `attributionConfidence?: string` - `attributionOrganization?: string` - `categoryName?: string` - `categoryUuid?: string` - `externalReferenceLinks?: Array` - `internalDescription?: string` - `motive?: string` - `opsecLevel?: string` - `originCountryISO?: string` - `priority?: number` - `sophisticationLevel?: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const tag = await client.cloudforceOne.threatEvents.tags.create({ account_id: 'account_id', value: 'APT28', }); console.log(tag.uuid); ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab", "value": "APT28", "activeDuration": "activeDuration", "actorCategory": "actorCategory", "aliasGroupNames": [ "string" ], "aliasGroupNamesInternal": [ "string" ], "analyticPriority": 0, "attributionConfidence": "attributionConfidence", "attributionOrganization": "attributionOrganization", "categoryName": "Nation State", "categoryUuid": "12345678-1234-1234-1234-1234567890ab", "externalReferenceLinks": [ "string" ], "internalDescription": "internalDescription", "motive": "motive", "opsecLevel": "opsecLevel", "originCountryISO": "originCountryISO", "priority": 0, "sophisticationLevel": "sophisticationLevel" } ``` ## Domain Types ### Tag Create Response - `TagCreateResponse` - `uuid: string` - `value: string` - `activeDuration?: string` - `actorCategory?: string` - `aliasGroupNames?: Array` - `aliasGroupNamesInternal?: Array` - `analyticPriority?: number` - `attributionConfidence?: string` - `attributionOrganization?: string` - `categoryName?: string` - `categoryUuid?: string` - `externalReferenceLinks?: Array` - `internalDescription?: string` - `motive?: string` - `opsecLevel?: string` - `originCountryISO?: string` - `priority?: number` - `sophisticationLevel?: string` # Event Tags ## Adds a tag to an event `client.cloudforceOne.threatEvents.eventTags.create(stringeventId, EventTagCreateParamsparams, RequestOptionsoptions?): EventTagCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}/create` Adds a tag to an event ### Parameters - `eventId: string` Event UUID. - `params: EventTagCreateParams` - `account_id: string` Path param: Account ID. - `tags: Array` Body param ### Returns - `EventTagCreateResponse` - `success: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const eventTag = await client.cloudforceOne.threatEvents.eventTags.create('event_id', { account_id: 'account_id', tags: ['botnet'], }); console.log(eventTag.success); ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Removes a tag from an event `client.cloudforceOne.threatEvents.eventTags.delete(stringeventId, EventTagDeleteParamsparams, RequestOptionsoptions?): EventTagDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}` Removes a tag from an event ### Parameters - `eventId: string` Event UUID. - `params: EventTagDeleteParams` - `account_id: string` Account ID. ### Returns - `EventTagDeleteResponse` - `success: boolean` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const eventTag = await client.cloudforceOne.threatEvents.eventTags.delete('event_id', { account_id: 'account_id', }); console.log(eventTag.success); ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Event Tag Create Response - `EventTagCreateResponse` - `success: boolean` ### Event Tag Delete Response - `EventTagDeleteResponse` - `success: boolean` # Target Industries ## Lists target industries across multiple datasets `client.cloudforceOne.threatEvents.targetIndustries.list(TargetIndustryListParamsparams, RequestOptionsoptions?): TargetIndustryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/targetIndustries` Lists target industries across multiple datasets ### Parameters - `params: TargetIndustryListParams` - `account_id: string` Path param: Account ID. - `datasetIds?: Array` Query param: Array of dataset IDs to query target industries from. If not provided, uses the default dataset. ### Returns - `TargetIndustryListResponse` - `items: Items` - `type: string` - `type: string` ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const targetIndustries = await client.cloudforceOne.threatEvents.targetIndustries.list({ account_id: 'account_id', }); console.log(targetIndustries.items); ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Target Industry List Response - `TargetIndustryListResponse` - `items: Items` - `type: string` - `type: string` # Insights