Filter and list events

client.cloudforceOne.threatEvents.list(, ?): ThreatEventListResponse { attacker, attackerCountry, category, 24 more }

GET/accounts/{account_id}/cloudforce-one/events

Use datasetId=all or datasetId=* to query all event datasets for the account (limited to 10). When datasetId is unspecified, events are listed from the default Cloudforce One Threat Events dataset. To list existing datasets, use the List Datasets endpoint.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

Accepted Permissions (at least one required)

Cloudforce One WriteCloudforce One Read

ParametersExpand Collapse

params: ThreatEventListParams { account_id, cursor, datasetId, 7 more }

account_id: string

Path param: Account ID.

cursor?: string

Query param: Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response’s result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance.

datasetId?: Array<string>

Query param: Dataset IDs to query events from (array of UUIDs), or special value ‘all’ or ’*’ to query all event datasets for the account. If not provided, uses the default dataset.

forceRefresh?: boolean

Query param

format?: "json" | "stix2" | "taxii"

Query param

One of the following:

"json"

"stix2"

"taxii"

order?: "asc" | "desc"

Query param

One of the following:

"asc"

"desc"

orderBy?: string

Query param

page?: number

Query param: Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead.

pageSize?: number

Query param: Number of results per page. Maximum 25,000.

search?: Array<Search>

Query param

field?: string

Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid.

op?: "equals" | "not" | "gt" | 9 more

Search operator. Use ‘in’ for bulk lookup of up to 100 values at once, e.g. {field:‘tags’, op:‘in’, value:[‘malware’,‘apt’]}.

One of the following:

"equals"

"not"

"gt"

"gte"

"lt"

"lte"

"like"

"contains"

"startsWith"

"endsWith"

"in"

"find"

value?: string | number | Array<string | number>

Search value. String or number for most operators. Array for ‘in’ operator (max 100 items).

One of the following:

string

number

Array<string | number>

One of the following:

string

number

ReturnsExpand Collapse

ThreatEventListResponse = Array<ThreatEventListResponseItem>

attacker: string

attackerCountry: string

category: string

datasetId: string

date: string

event: string

hasChildren: boolean

indicator: string

indicatorType: string

indicatorTypeId: number

killChain: number

mitreAttack: Array<string>

mitreCapec: Array<string>

numReferenced: number

numReferences: number

rawId: string

referenced: Array<string>

referencedIds: Array<number>

references: Array<string>

referencesIds: Array<number>

tags: Array<string>

targetCountry: string

targetIndustry: string

tlp: string

uuid: string

insight?: string

releasabilityId?: string

Filter and list events

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const threatEvents = await client.cloudforceOne.threatEvents.list({ account_id: 'account_id' });

console.log(threatEvents);

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]

Returns Examples

[
  {
    "attacker": "Flying Yeti",
    "attackerCountry": "CN",
    "category": "Domain Resolution",
    "datasetId": "dataset-example-id",
    "date": "2022-04-01T00:00:00Z",
    "event": "An attacker registered the domain domain.com",
    "hasChildren": true,
    "indicator": "domain.com",
    "indicatorType": "domain",
    "indicatorTypeId": 5,
    "killChain": 0,
    "mitreAttack": [
      " "
    ],
    "mitreCapec": [
      " "
    ],
    "numReferenced": 0,
    "numReferences": 0,
    "rawId": "453gw34w3",
    "referenced": [
      " "
    ],
    "referencedIds": [
      0
    ],
    "references": [
      " "
    ],
    "referencesIds": [
      0
    ],
    "tags": [
      "malware"
    ],
    "targetCountry": "US",
    "targetIndustry": "Agriculture",
    "tlp": "amber",
    "uuid": "12345678-1234-1234-1234-1234567890ab",
    "insight": "insight",
    "releasabilityId": "releasabilityId"
  }
]