Skip to content
Cloudflare API
Start here
API Reference
Cloudforce One
Threat Events

Creates a new event

cloudforce_one.threat_events.create(ThreatEventCreateParams**kwargs) -> ThreatEventCreateResponse
POST/accounts/{account_id}/cloudforce-one/events/create

To create a dataset, see the Create Dataset endpoint. When datasetId parameter is unspecified, it will be created in a default dataset named Cloudforce One Threat Events.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
Accepted Permissions (at least one required)
Cloudforce One WriteCloudforce One Read
ParametersExpand Collapse
account_id: str

Account ID.

category: str
date: Union[str, datetime]
formatdate-time
event: str
raw: Raw
data: Optional[Dict[str, object]]
source: Optional[str]
tlp: Optional[str]
tlp: str
account_id: Optional[float]
attacker: Optional[str]
attacker_country: Optional[str]
dataset_id: Optional[str]
indicator: Optional[str]
indicators: Optional[Iterable[Indicator]]

Array of indicators for this event. Supports multiple indicators per event for complex scenarios.

indicator_type: str

The type of indicator (e.g., DOMAIN, IP, JA3, HASH)

value: str

The indicator value (e.g., domain name, IP address, hash)

indicator_type: Optional[str]
insight: Optional[str]
tags: Optional[SequenceNotStr[str]]
target_country: Optional[str]
target_industry: Optional[str]
ReturnsExpand Collapse
class ThreatEventCreateResponse:
attacker: str
attacker_country: str
category: str
dataset_id: str
date: str
event: str
has_children: bool
indicator: str
indicator_type: str
indicator_type_id: float
kill_chain: float
mitre_attack: List[str]
mitre_capec: List[str]
num_referenced: float
num_references: float
raw_id: str
referenced: List[str]
referenced_ids: List[float]
references: List[str]
references_ids: List[float]
tags: List[str]
target_country: str
target_industry: str
tlp: str
uuid: str
insight: Optional[str]
releasability_id: Optional[str]

Creates a new event

import os
from datetime import datetime
from cloudflare import Cloudflare

client = Cloudflare(
    api_token=os.environ.get("CLOUDFLARE_API_TOKEN"),  # This is the default and can be omitted
)
threat_event = client.cloudforce_one.threat_events.create(
    path_account_id="account_id",
    category="Domain Resolution",
    date=datetime.fromisoformat("2022-04-01T00:00:00"),
    event="An attacker registered the domain domain.com",
    raw={
        "data": {
            "foo": "bar"
        }
    },
    tlp="amber",
)
print(threat_event.uuid)
{
  "attacker": "Flying Yeti",
  "attackerCountry": "CN",
  "category": "Domain Resolution",
  "datasetId": "dataset-example-id",
  "date": "2022-04-01T00:00:00Z",
  "event": "An attacker registered the domain domain.com",
  "hasChildren": true,
  "indicator": "domain.com",
  "indicatorType": "domain",
  "indicatorTypeId": 5,
  "killChain": 0,
  "mitreAttack": [
    " "
  ],
  "mitreCapec": [
    " "
  ],
  "numReferenced": 0,
  "numReferences": 0,
  "rawId": "453gw34w3",
  "referenced": [
    " "
  ],
  "referencedIds": [
    0
  ],
  "references": [
    " "
  ],
  "referencesIds": [
    0
  ],
  "tags": [
    "malware"
  ],
  "targetCountry": "US",
  "targetIndustry": "Agriculture",
  "tlp": "amber",
  "uuid": "12345678-1234-1234-1234-1234567890ab",
  "insight": "insight",
  "releasabilityId": "releasabilityId"
}
Returns Examples
{
  "attacker": "Flying Yeti",
  "attackerCountry": "CN",
  "category": "Domain Resolution",
  "datasetId": "dataset-example-id",
  "date": "2022-04-01T00:00:00Z",
  "event": "An attacker registered the domain domain.com",
  "hasChildren": true,
  "indicator": "domain.com",
  "indicatorType": "domain",
  "indicatorTypeId": 5,
  "killChain": 0,
  "mitreAttack": [
    " "
  ],
  "mitreCapec": [
    " "
  ],
  "numReferenced": 0,
  "numReferences": 0,
  "rawId": "453gw34w3",
  "referenced": [
    " "
  ],
  "referencedIds": [
    0
  ],
  "references": [
    " "
  ],
  "referencesIds": [
    0
  ],
  "tags": [
    "malware"
  ],
  "targetCountry": "US",
  "targetIndustry": "Agriculture",
  "tlp": "amber",
  "uuid": "12345678-1234-1234-1234-1234567890ab",
  "insight": "insight",
  "releasabilityId": "releasabilityId"
}