# Threat Events ## Filter and list events `cloudforce_one.threat_events.list(ThreatEventListParams**kwargs) -> ThreatEventListResponse` **get** `/accounts/{account_id}/cloudforce-one/events` When `datasetId` is unspecified, events will be listed from the `Cloudforce One Threat Events` dataset. To list existing datasets (and their IDs), use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint). Also, must provide query parameters. ### Parameters - `account_id: str` Account ID. - `cursor: Optional[str]` Cursor for pagination. When provided, filters are embedded in the cursor so you only need to pass cursor and pageSize. Returned in the previous response's result_info.cursor field. Use cursor-based pagination for deep pagination (beyond 100,000 records) or for optimal performance. - `dataset_id: Optional[SequenceNotStr[str]]` - `force_refresh: Optional[bool]` - `format: Optional[Literal["json", "stix2"]]` - `"json"` - `"stix2"` - `order: Optional[Literal["asc", "desc"]]` - `"asc"` - `"desc"` - `order_by: Optional[str]` - `page: Optional[float]` Page number (1-indexed) for offset-based pagination. Limited to offset of 100,000 records. For deep pagination, use cursor-based pagination instead. - `page_size: Optional[float]` Number of results per page. Maximum 25,000. - `search: Optional[Iterable[Search]]` - `field: Optional[str]` Event field to search on. Allowed: attacker, attackerCountry, category, createdAt, date, event, indicator, indicatorType, killChain, mitreAttack, tags, targetCountry, targetIndustry, tlp, uuid. - `op: Optional[Literal["equals", "not", "gt", 9 more]]` Search operator. Use 'in' for bulk lookup of up to 100 values at once, e.g. {field:'tags', op:'in', value:['malware','apt']}. - `"equals"` - `"not"` - `"gt"` - `"gte"` - `"lt"` - `"lte"` - `"like"` - `"contains"` - `"startsWith"` - `"endsWith"` - `"in"` - `"find"` - `value: Optional[Union[str, float, SequenceNotStr[Union[str, float]]]]` Search value. String or number for most operators. Array for 'in' operator (max 100 items). - `str` - `float` - `SequenceNotStr[Union[str, float]]` - `str` - `float` ### Returns - `List[ThreatEventListResponseItem]` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) threat_events = client.cloudforce_one.threat_events.list( account_id="account_id", ) print(threat_events) ``` #### Response ```json [ { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ] ``` ## Reads an event `cloudforce_one.threat_events.get(strevent_id, ThreatEventGetParams**kwargs) -> ThreatEventGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}` This Method is deprecated. Please use /events/dataset/:dataset_id/events/:event_id instead. ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. ### Returns - `class ThreatEventGetResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) threat_event = client.cloudforce_one.threat_events.get( event_id="event_id", account_id="account_id", ) print(threat_event.uuid) ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates a new event `cloudforce_one.threat_events.create(ThreatEventCreateParams**kwargs) -> ThreatEventCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/create` To create a dataset, see the [`Create Dataset`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/create/) endpoint. When `datasetId` parameter is unspecified, it will be created in a default dataset named `Cloudforce One Threat Events`. ### Parameters - `account_id: str` Account ID. - `category: str` - `date: Union[str, datetime]` - `event: str` - `raw: Raw` - `data: Optional[Dict[str, object]]` - `source: Optional[str]` - `tlp: Optional[str]` - `tlp: str` - `account_id: Optional[float]` - `attacker: Optional[str]` - `attacker_country: Optional[str]` - `dataset_id: Optional[str]` - `indicator: Optional[str]` - `indicators: Optional[Iterable[Indicator]]` Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicator_type: str` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: str` The indicator value (e.g., domain name, IP address, hash) - `indicator_type: Optional[str]` - `insight: Optional[str]` - `tags: Optional[SequenceNotStr[str]]` - `target_country: Optional[str]` - `target_industry: Optional[str]` ### Returns - `class ThreatEventCreateResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Example ```python import os from datetime import datetime from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) threat_event = client.cloudforce_one.threat_events.create( path_account_id="account_id", category="Domain Resolution", date=datetime.fromisoformat("2022-04-01T00:00:00"), event="An attacker registered the domain domain.com", raw={ "data": { "foo": "bar" } }, tlp="amber", ) print(threat_event.uuid) ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Updates an event `cloudforce_one.threat_events.edit(strevent_id, ThreatEventEditParams**kwargs) -> ThreatEventEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}` Updates an event ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. - `dataset_id: str` Dataset ID containing the event to update. - `attacker: Optional[str]` - `attacker_country: Optional[str]` - `category: Optional[str]` - `created_at: Optional[Union[str, datetime]]` - `date: Optional[Union[str, datetime]]` - `event: Optional[str]` - `indicator: Optional[str]` - `indicator_type: Optional[str]` - `insight: Optional[str]` - `raw: Optional[Raw]` - `data: Optional[Dict[str, object]]` - `source: Optional[str]` - `tlp: Optional[str]` - `target_country: Optional[str]` - `target_industry: Optional[str]` - `tlp: Optional[str]` ### Returns - `class ThreatEventEditResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.edit( event_id="event_id", account_id="account_id", dataset_id="9b769969-a211-466c-8ac3-cb91266a066a", ) print(response.uuid) ``` #### Response ```json { "attacker": "Flying Yeti", "attackerCountry": "CN", "category": "Domain Resolution", "datasetId": "dataset-example-id", "date": "2022-04-01T00:00:00Z", "event": "An attacker registered the domain domain.com", "hasChildren": true, "indicator": "domain.com", "indicatorType": "domain", "indicatorTypeId": 5, "killChain": 0, "mitreAttack": [ " " ], "mitreCapec": [ " " ], "numReferenced": 0, "numReferences": 0, "rawId": "453gw34w3", "referenced": [ " " ], "referencedIds": [ 0 ], "references": [ " " ], "referencesIds": [ 0 ], "tags": [ "malware" ], "targetCountry": "US", "targetIndustry": "Agriculture", "tlp": "amber", "uuid": "12345678-1234-1234-1234-1234567890ab", "insight": "insight", "releasabilityId": "releasabilityId" } ``` ## Creates bulk events `cloudforce_one.threat_events.bulk_create(ThreatEventBulkCreateParams**kwargs) -> ThreatEventBulkCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/create/bulk` The `datasetId` parameter must be defined. To list existing datasets (and their IDs) in your account, use the [`List Datasets`](https://developers.cloudflare.com/api/resources/cloudforce_one/subresources/threat_events/subresources/datasets/methods/list/) endpoint. ### Parameters - `account_id: str` Account ID. - `data: Iterable[Data]` - `category: str` - `date: Union[str, datetime]` - `event: str` - `raw: DataRaw` - `data: Optional[Dict[str, object]]` - `source: Optional[str]` - `tlp: Optional[str]` - `tlp: str` - `account_id: Optional[float]` - `attacker: Optional[str]` - `attacker_country: Optional[str]` - `dataset_id: Optional[str]` - `indicator: Optional[str]` - `indicators: Optional[Iterable[DataIndicator]]` Array of indicators for this event. Supports multiple indicators per event for complex scenarios. - `indicator_type: str` The type of indicator (e.g., DOMAIN, IP, JA3, HASH) - `value: str` The indicator value (e.g., domain name, IP address, hash) - `indicator_type: Optional[str]` - `insight: Optional[str]` - `tags: Optional[SequenceNotStr[str]]` - `target_country: Optional[str]` - `target_industry: Optional[str]` - `dataset_id: str` - `include_created_events: Optional[bool]` When true, response includes array of created event UUIDs and shard IDs. Useful for tracking which events were created and where. ### Returns - `class ThreatEventBulkCreateResponse: …` Detailed result of bulk event creation with auto-tag management - `created_events_count: float` Number of events created - `created_tags_count: float` Number of new tags created in SoT - `error_count: float` Number of errors encountered - `queued_indicators_count: float` Number of indicators queued for async processing - `create_bulk_events_request_id: Optional[str]` Correlation ID for async indicator processing - `created_events: Optional[List[CreatedEvent]]` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `event_index: float` Original index in the input data array - `shard_id: str` Dataset ID of the shard where the event was created - `uuid: str` UUID of the created event - `errors: Optional[List[Error]]` Array of error details - `error: str` Error message - `event_index: float` Index of the event that caused the error ### Example ```python import os from datetime import datetime from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.bulk_create( account_id="account_id", data=[{ "category": "Domain Resolution", "date": datetime.fromisoformat("2022-04-01T00:00:00"), "event": "An attacker registered the domain domain.com", "raw": { "data": { "foo": "bar" } }, "tlp": "amber", }], dataset_id="durableObjectName", ) print(response.created_events_count) ``` #### Response ```json { "createdEventsCount": 0, "createdTagsCount": 0, "errorCount": 0, "queuedIndicatorsCount": 0, "createBulkEventsRequestId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "createdEvents": [ { "eventIndex": 0, "shardId": "shardId", "uuid": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "errors": [ { "error": "error", "eventIndex": 0 } ] } ``` ## Domain Types ### Threat Event List Response - `List[ThreatEventListResponseItem]` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Threat Event Get Response - `class ThreatEventGetResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Threat Event Create Response - `class ThreatEventCreateResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Threat Event Edit Response - `class ThreatEventEditResponse: …` - `attacker: str` - `attacker_country: str` - `category: str` - `dataset_id: str` - `date: str` - `event: str` - `has_children: bool` - `indicator: str` - `indicator_type: str` - `indicator_type_id: float` - `kill_chain: float` - `mitre_attack: List[str]` - `mitre_capec: List[str]` - `num_referenced: float` - `num_references: float` - `raw_id: str` - `referenced: List[str]` - `referenced_ids: List[float]` - `references: List[str]` - `references_ids: List[float]` - `tags: List[str]` - `target_country: str` - `target_industry: str` - `tlp: str` - `uuid: str` - `insight: Optional[str]` - `releasability_id: Optional[str]` ### Threat Event Bulk Create Response - `class ThreatEventBulkCreateResponse: …` Detailed result of bulk event creation with auto-tag management - `created_events_count: float` Number of events created - `created_tags_count: float` Number of new tags created in SoT - `error_count: float` Number of errors encountered - `queued_indicators_count: float` Number of indicators queued for async processing - `create_bulk_events_request_id: Optional[str]` Correlation ID for async indicator processing - `created_events: Optional[List[CreatedEvent]]` Array of created events with UUIDs and shard locations. Only present when includeCreatedEvents=true - `event_index: float` Original index in the input data array - `shard_id: str` Dataset ID of the shard where the event was created - `uuid: str` UUID of the created event - `errors: Optional[List[Error]]` Array of error details - `error: str` Error message - `event_index: float` Index of the event that caused the error # Attackers ## Lists attackers across multiple datasets `cloudforce_one.threat_events.attackers.list(AttackerListParams**kwargs) -> AttackerListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/attackers` Lists attackers across multiple datasets ### Parameters - `account_id: str` Account ID. - `dataset_ids: Optional[SequenceNotStr[str]]` Array of dataset IDs to query attackers from. If not provided, uses the default dataset. ### Returns - `class AttackerListResponse: …` - `items: Items` - `type: str` - `type: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) attackers = client.cloudforce_one.threat_events.attackers.list( account_id="account_id", ) print(attackers.items) ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Attacker List Response - `class AttackerListResponse: …` - `items: Items` - `type: str` - `type: str` # Categories ## Lists categories across multiple datasets `cloudforce_one.threat_events.categories.list(CategoryListParams**kwargs) -> CategoryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/categories` Lists categories across multiple datasets ### Parameters - `account_id: str` Account ID. - `dataset_ids: Optional[SequenceNotStr[str]]` Array of dataset IDs to query categories from. If not provided, uses the default dataset. ### Returns - `List[CategoryListResponseItem]` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) categories = client.cloudforce_one.threat_events.categories.list( account_id="account_id", ) print(categories) ``` #### Response ```json [ { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ] ``` ## Reads a category `cloudforce_one.threat_events.categories.get(strcategory_id, CategoryGetParams**kwargs) -> CategoryGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Reads a category ### Parameters - `account_id: str` Account ID. - `category_id: str` Category UUID. ### Returns - `class CategoryGetResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) category = client.cloudforce_one.threat_events.categories.get( category_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(category.uuid) ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Creates a new category `cloudforce_one.threat_events.categories.create(CategoryCreateParams**kwargs) -> CategoryCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/categories/create` Creates a new category ### Parameters - `account_id: str` Account ID. - `kill_chain: float` - `name: str` - `mitre_attack: Optional[SequenceNotStr[str]]` - `mitre_capec: Optional[SequenceNotStr[str]]` - `shortname: Optional[str]` ### Returns - `class CategoryCreateResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) category = client.cloudforce_one.threat_events.categories.create( account_id="account_id", kill_chain=0, name="name", ) print(category.uuid) ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Updates a category `cloudforce_one.threat_events.categories.edit(strcategory_id, CategoryEditParams**kwargs) -> CategoryEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Updates a category ### Parameters - `account_id: str` Account ID. - `category_id: str` Category UUID. - `kill_chain: Optional[float]` - `mitre_attack: Optional[SequenceNotStr[str]]` - `mitre_capec: Optional[SequenceNotStr[str]]` - `name: Optional[str]` - `shortname: Optional[str]` ### Returns - `class CategoryEditResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.categories.edit( category_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(response.uuid) ``` #### Response ```json { "killChain": 0, "name": "name", "uuid": "12345678-1234-1234-1234-1234567890ab", "mitreAttack": [ "T1234" ], "mitreCapec": [ "123" ], "shortname": "shortname" } ``` ## Deletes a category `cloudforce_one.threat_events.categories.delete(strcategory_id, CategoryDeleteParams**kwargs) -> CategoryDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/categories/{category_id}` Deletes a category ### Parameters - `account_id: str` Account ID. - `category_id: str` Category UUID. ### Returns - `class CategoryDeleteResponse: …` - `uuid: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) category = client.cloudforce_one.threat_events.categories.delete( category_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(category.uuid) ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Domain Types ### Category List Response - `List[CategoryListResponseItem]` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Category Get Response - `class CategoryGetResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Category Create Response - `class CategoryCreateResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Category Edit Response - `class CategoryEditResponse: …` - `kill_chain: float` - `name: str` - `uuid: str` - `mitre_attack: Optional[List[str]]` - `mitre_capec: Optional[List[str]]` - `shortname: Optional[str]` ### Category Delete Response - `class CategoryDeleteResponse: …` - `uuid: str` # Countries ## Retrieves countries information for all countries `cloudforce_one.threat_events.countries.list(CountryListParams**kwargs) -> CountryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/countries` Retrieves countries information for all countries ### Parameters - `account_id: str` Account ID. ### Returns - `List[CountryListResponseItem]` - `result: List[CountryListResponseItemResult]` - `alpha3: str` - `name: str` - `success: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) countries = client.cloudforce_one.threat_events.countries.list( account_id="account_id", ) print(countries) ``` #### Response ```json [ { "result": [ { "alpha3": "AF", "name": "Afghanistan" } ], "success": "true" } ] ``` ## Domain Types ### Country List Response - `List[CountryListResponseItem]` - `result: List[CountryListResponseItemResult]` - `alpha3: str` - `name: str` - `success: str` # Crons # Datasets ## Lists all datasets in an account `cloudforce_one.threat_events.datasets.list(DatasetListParams**kwargs) -> DatasetListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/dataset` Lists all datasets in an account ### Parameters - `account_id: str` Account ID. ### Returns - `List[DatasetListResponseItem]` - `is_public: bool` - `name: str` - `uuid: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) datasets = client.cloudforce_one.threat_events.datasets.list( account_id="account_id", ) print(datasets) ``` #### Response ```json [ { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ] ``` ## Reads a dataset `cloudforce_one.threat_events.datasets.get(strdataset_id, DatasetGetParams**kwargs) -> DatasetGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Reads a dataset ### Parameters - `account_id: str` Account ID. - `dataset_id: str` Dataset ID. ### Returns - `class DatasetGetResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset = client.cloudforce_one.threat_events.datasets.get( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", ) print(dataset.uuid) ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Creates a dataset `cloudforce_one.threat_events.datasets.create(DatasetCreateParams**kwargs) -> DatasetCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/dataset/create` Creates a dataset ### Parameters - `account_id: str` Account ID. - `is_public: bool` If true, then anyone can search the dataset. If false, then its limited to the account. - `name: str` Used to describe the dataset within the account context. ### Returns - `class DatasetCreateResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) dataset = client.cloudforce_one.threat_events.datasets.create( account_id="account_id", is_public=True, name="x", ) print(dataset.uuid) ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Updates an existing dataset `cloudforce_one.threat_events.datasets.edit(strdataset_id, DatasetEditParams**kwargs) -> DatasetEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/dataset/{dataset_id}` Updates an existing dataset ### Parameters - `account_id: str` Account ID. - `dataset_id: str` Dataset ID. - `is_public: bool` If true, then anyone can search the dataset. If false, then its limited to the account. - `name: str` Used to describe the dataset within the account context. ### Returns - `class DatasetEditResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.datasets.edit( dataset_id="182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", account_id="account_id", is_public=True, name="x", ) print(response.uuid) ``` #### Response ```json { "isPublic": true, "name": "friendly dataset name", "uuid": "12345678-1234-1234-1234-1234567890ab" } ``` ## Reads raw data for an event by UUID `cloudforce_one.threat_events.datasets.raw(strevent_id, DatasetRawParams**kwargs) -> DatasetRawResponse` **get** `/accounts/{account_id}/cloudforce-one/events/raw/{dataset_id}/{event_id}` Retrieves the raw data associated with an event. Searches across all shards in the dataset. ### Parameters - `account_id: str` Account ID. - `dataset_id: str` Dataset ID. - `event_id: str` Event ID. ### Returns - `class DatasetRawResponse: …` - `id: float` - `account_id: float` - `created: str` - `data: str` - `source: str` - `tlp: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.datasets.raw( event_id="event_id", account_id="account_id", dataset_id="dataset_id", ) print(response.id) ``` #### Response ```json { "id": 1, "accountId": 1234, "created": "1970-01-01T00:00:00.000Z", "data": "{\"foo\": \"bar\"}", "source": "https://example.com", "tlp": "amber" } ``` ## Domain Types ### Dataset List Response - `List[DatasetListResponseItem]` - `is_public: bool` - `name: str` - `uuid: str` ### Dataset Get Response - `class DatasetGetResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Dataset Create Response - `class DatasetCreateResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Dataset Edit Response - `class DatasetEditResponse: …` - `is_public: bool` - `name: str` - `uuid: str` ### Dataset Raw Response - `class DatasetRawResponse: …` - `id: float` - `account_id: float` - `created: str` - `data: str` - `source: str` - `tlp: str` # Health # Indicator Types ## Lists all indicator types `cloudforce_one.threat_events.indicator_types.list(IndicatorTypeListParams**kwargs) -> IndicatorTypeListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/indicatorTypes` This Method is deprecated. Please use /events/dataset/:dataset_id/indicatorTypes instead. ### Parameters - `account_id: str` Account ID. ### Returns - `class IndicatorTypeListResponse: …` - `items: Items` - `type: str` - `type: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) indicator_types = client.cloudforce_one.threat_events.indicator_types.list( account_id="account_id", ) print(indicator_types.items) ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Indicator Type List Response - `class IndicatorTypeListResponse: …` - `items: Items` - `type: str` - `type: str` # Raw ## Reads data for a raw event `cloudforce_one.threat_events.raw.get(strraw_id, RawGetParams**kwargs) -> RawGetResponse` **get** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Reads data for a raw event ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. - `raw_id: str` Raw Event UUID. ### Returns - `class RawGetResponse: …` - `id: str` - `account_id: float` - `created: str` - `data: object` - `source: str` - `tlp: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) raw = client.cloudforce_one.threat_events.raw.get( raw_id="raw_id", account_id="account_id", event_id="event_id", ) print(raw.id) ``` #### Response ```json { "id": "1234", "accountId": 1234, "created": "1970-01-01", "data": {}, "source": "https://example.com", "tlp": "amber" } ``` ## Updates a raw event `cloudforce_one.threat_events.raw.edit(strraw_id, RawEditParams**kwargs) -> RawEditResponse` **patch** `/accounts/{account_id}/cloudforce-one/events/{event_id}/raw/{raw_id}` Updates a raw event ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. - `raw_id: str` Raw Event UUID. - `data: Optional[object]` - `source: Optional[str]` - `tlp: Optional[str]` ### Returns - `class RawEditResponse: …` - `id: str` - `data: object` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) response = client.cloudforce_one.threat_events.raw.edit( raw_id="raw_id", account_id="account_id", event_id="event_id", ) print(response.id) ``` #### Response ```json { "id": "1234", "data": {} } ``` ## Domain Types ### Raw Get Response - `class RawGetResponse: …` - `id: str` - `account_id: float` - `created: str` - `data: object` - `source: str` - `tlp: str` ### Raw Edit Response - `class RawEditResponse: …` - `id: str` - `data: object` # Relate ## Removes an event reference `cloudforce_one.threat_events.relate.delete(strevent_id, RelateDeleteParams**kwargs) -> RelateDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/relate/{event_id}` Removes an event reference ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. ### Returns - `class RelateDeleteResponse: …` - `success: bool` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) relate = client.cloudforce_one.threat_events.relate.delete( event_id="event_id", account_id="account_id", ) print(relate.success) ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Relate Delete Response - `class RelateDeleteResponse: …` - `success: bool` # Tags ## Creates a new tag `cloudforce_one.threat_events.tags.create(TagCreateParams**kwargs) -> TagCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/tags/create` Creates a new tag to be used accross threat events. ### Parameters - `account_id: str` Account ID. - `value: str` - `active_duration: Optional[str]` - `actor_category: Optional[str]` - `alias_group_names: Optional[SequenceNotStr[str]]` - `alias_group_names_internal: Optional[SequenceNotStr[str]]` - `analytic_priority: Optional[float]` - `attribution_confidence: Optional[str]` - `attribution_organization: Optional[str]` - `category_uuid: Optional[str]` - `external_reference_links: Optional[SequenceNotStr[str]]` - `internal_description: Optional[str]` - `motive: Optional[str]` - `opsec_level: Optional[str]` - `origin_country_iso: Optional[str]` - `priority: Optional[float]` - `sophistication_level: Optional[str]` ### Returns - `class TagCreateResponse: …` - `uuid: str` - `value: str` - `active_duration: Optional[str]` - `actor_category: Optional[str]` - `alias_group_names: Optional[List[str]]` - `alias_group_names_internal: Optional[List[str]]` - `analytic_priority: Optional[float]` - `attribution_confidence: Optional[str]` - `attribution_organization: Optional[str]` - `category_name: Optional[str]` - `category_uuid: Optional[str]` - `external_reference_links: Optional[List[str]]` - `internal_description: Optional[str]` - `motive: Optional[str]` - `opsec_level: Optional[str]` - `origin_country_iso: Optional[str]` - `priority: Optional[float]` - `sophistication_level: Optional[str]` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) tag = client.cloudforce_one.threat_events.tags.create( account_id="account_id", value="APT28", ) print(tag.uuid) ``` #### Response ```json { "uuid": "12345678-1234-1234-1234-1234567890ab", "value": "APT28", "activeDuration": "activeDuration", "actorCategory": "actorCategory", "aliasGroupNames": [ "string" ], "aliasGroupNamesInternal": [ "string" ], "analyticPriority": 0, "attributionConfidence": "attributionConfidence", "attributionOrganization": "attributionOrganization", "categoryName": "Nation State", "categoryUuid": "12345678-1234-1234-1234-1234567890ab", "externalReferenceLinks": [ "string" ], "internalDescription": "internalDescription", "motive": "motive", "opsecLevel": "opsecLevel", "originCountryISO": "originCountryISO", "priority": 0, "sophisticationLevel": "sophisticationLevel" } ``` ## Domain Types ### Tag Create Response - `class TagCreateResponse: …` - `uuid: str` - `value: str` - `active_duration: Optional[str]` - `actor_category: Optional[str]` - `alias_group_names: Optional[List[str]]` - `alias_group_names_internal: Optional[List[str]]` - `analytic_priority: Optional[float]` - `attribution_confidence: Optional[str]` - `attribution_organization: Optional[str]` - `category_name: Optional[str]` - `category_uuid: Optional[str]` - `external_reference_links: Optional[List[str]]` - `internal_description: Optional[str]` - `motive: Optional[str]` - `opsec_level: Optional[str]` - `origin_country_iso: Optional[str]` - `priority: Optional[float]` - `sophistication_level: Optional[str]` # Event Tags ## Adds a tag to an event `cloudforce_one.threat_events.event_tags.create(strevent_id, EventTagCreateParams**kwargs) -> EventTagCreateResponse` **post** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}/create` Adds a tag to an event ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. - `tags: SequenceNotStr[str]` ### Returns - `class EventTagCreateResponse: …` - `success: bool` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) event_tag = client.cloudforce_one.threat_events.event_tags.create( event_id="event_id", account_id="account_id", tags=["botnet"], ) print(event_tag.success) ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Removes a tag from an event `cloudforce_one.threat_events.event_tags.delete(strevent_id, EventTagDeleteParams**kwargs) -> EventTagDeleteResponse` **delete** `/accounts/{account_id}/cloudforce-one/events/event_tag/{event_id}` Removes a tag from an event ### Parameters - `account_id: str` Account ID. - `event_id: str` Event UUID. ### Returns - `class EventTagDeleteResponse: …` - `success: bool` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) event_tag = client.cloudforce_one.threat_events.event_tags.delete( event_id="event_id", account_id="account_id", ) print(event_tag.success) ``` #### Response ```json { "result": { "success": true }, "success": true } ``` ## Domain Types ### Event Tag Create Response - `class EventTagCreateResponse: …` - `success: bool` ### Event Tag Delete Response - `class EventTagDeleteResponse: …` - `success: bool` # Target Industries ## Lists target industries across multiple datasets `cloudforce_one.threat_events.target_industries.list(TargetIndustryListParams**kwargs) -> TargetIndustryListResponse` **get** `/accounts/{account_id}/cloudforce-one/events/targetIndustries` Lists target industries across multiple datasets ### Parameters - `account_id: str` Account ID. - `dataset_ids: Optional[SequenceNotStr[str]]` Array of dataset IDs to query target industries from. If not provided, uses the default dataset. ### Returns - `class TargetIndustryListResponse: …` - `items: Items` - `type: str` - `type: str` ### Example ```python import os from cloudflare import Cloudflare client = Cloudflare( api_token=os.environ.get("CLOUDFLARE_API_TOKEN"), # This is the default and can be omitted ) target_industries = client.cloudforce_one.threat_events.target_industries.list( account_id="account_id", ) print(target_industries.items) ``` #### Response ```json { "items": { "type": "string" }, "type": "array" } ``` ## Domain Types ### Target Industry List Response - `class TargetIndustryListResponse: …` - `items: Items` - `type: str` - `type: str` # Insights